t3l3machus
commented
2 years ago Hello @pr0b3r7, and thanks for the info. Hoaxshell can generate several payload variations according to the user provided command line arguments. From the small part of the decoded command that is visible in the second screenshot you provided, it seems that you used hoaxshell's https payload without providing a trusted certificate. This particular payload is kind of a red flag, as it begins with an additional block of code that instructs powershell to skip SSL certificate checks, which makes it suspicious and easy to detect. Does the simple, http-based payload produce the same alerts?
When showcasing detection cases it would be much clearer to also provide the command used to generate the payload that got detected.
My initial objective with hoaxshell was to not get caught by (classic) Defender and mainstream commercial AVs so that i can play harder CTF machines and use it in penetration testings. After some tests i noticed that it does well in hardened environments with Endpoint protection and decided to make it public. The "currently undetected by Microsoft Defender" claim is for signature based detection as well because it was tested and worked against in the past, although, i don't expect it to last. To be honest, I expect to archive this project soon.
pr0b3r7
Sentinel Alert: 'A command in PowerShell was executed by a suspicious process. PowerShell is often used by attackers to bypass security protection mechanisms by executing their payload in memory without touching the disk and leaving any trace. An attacker might be executing commands in the system.'
Alerts are on behavior according to Defender 365
Is the undetectable claim for signature based detection?
Thank you