How to bypass Windows Defender with Custom C++ .EXE Payload Loader (Meterpreter Reverse Shell)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hello all welcome back to another video for this video we will be walking through how we can bypass the latest Windows Defender with C plus plus as shown in the screen we will be using this GitHub repository and making use of the source code available in this project over here so in this project there are a lot of useful references and we'll be showing how we can make use of it to bypass Windows Defender on my channel there's a playlist specifically on bypassing Windows Defender most of it will not work anymore whenever a tool or technique gets publicized like this Windows Defender will be quick to pick it up and build detection around it to prevent it from working the goal of sharing all of this knowledge and tools is to create awareness and hopefully you will be able to build your own custom loader that can bypass Windows Defender there are many useful references showed in this playlist so be sure to check them out this is one of them in C sharp all right let's get back to the video so as shown in the screen this is our Windows 10 machine this is fully updated and all of the features and protections are turned on and also there are no exclusions configured this will be our Target Windows 10 machine that we will be testing our payload on the very first project is just a simple loader which will execute Shell Code into memory directly so this is very typical it uses virtual a lot to allocate some memory and then it will move the Shell Code into the memory following which it will use Virtual protect to change the memory permissions to execute and read initially it is only read and write because you only need to move the Shell Code into the memory space but since we are going to execute the shell code is necessary to change the permission to allow execution and subsequently the Shell Code in the memory will then be executed this is the standard process injection technique so let's copy the code and paste it over to our Kali machine [Music] let's generate a TCP reverse shell using msf Venom so this is the byte array that is generated and we will need to paste it over into the source code we will need to change the name of the variable as well to match the remaining of the source code so let's change it to payload [Music] we are going to compile the C plus plus code on our Kali machine it will be cross compilation and we can use the Ming W compiler to do so we will need to change the windows W from Capital to small letter and this should fix the error awesome now we have the exe payload file let's transfer it over to our Windows 10 machine and see if it works this should definitely trigger a detection because there is a raw Shell Code in the source code itself as expected Windows Defender was able to pick it up let's hop over to our Kali machine and modify the code let's clear out the payload and set it to something non-malicious let's recompile the source code again foreign as shown in the screen there is no detection now what this means is that the process injection technique used in the source code is fine it is not detected by Microsoft Defender however the msf Venom generated payload is being detected let's remove the get Char function so that it will not wait for user input let's try and recompile it again and transfer it to our Windows 10 machine okay so it works we are able to transfer the file and execute the file so the technique used for the process injection is definitely okay it's just that the payload is being detected now let's take a look at another project available in this GitHub project there is this founder shellcode.cpp and basically what this does is to create a Windows socket and it will fetch a payload remotely from a HTTP server instead of having the payload hard coded into the source code of the program since we already have a working process injection technique from the simple loader source code we will only need the function that will help us download the payload file remotely from a server so this is the Get Shell Code run function let's copy the Get Shell Code run function and place it into our source code file foreign [Music] we will also need to include all of the necessary header files as well as the libraries let's copy and paste all the necessary lines into our code we will also need to copy the main function so the main function will execute the Get Shell Code run function and our original main function we will need to copy all of it and paste it into the part whereby it will execute the Shell Code so this is the Run Shell Code function we don't need this run Shell Code function we will use our original process injection technique that we have verified that is not detected by Windows Defender let's replace the Run Shell Code function with our own process injection technique instead so the receive buffer is our payload variable let's change all of our payload variable to match the receive buffer variable name what this means is that our program now will fetch the payload remotely from a HTTP server directly into memory and execute it instead of having the payload as a byte array in the source code file directly let's give it a try it seems that we are missing the default buff length definition we should be able to fix this error by including it let's do that let's check out this error it seems that we are missing some compilation Flex to include the socket Library into the program let's do that all right we managed to fix the error there are only warnings now which we can just disregard we are able to generate our template.exe payload file now let's transfer it over to our Windows machine and see if it works as shown in the screen there is no detection from Windows Defender we are able to execute the template payload file as well now let's generate our payload file we will need to Output our payload generator by msf Venom into a file let's name it beacon.bin let's set up the listener on Port 8443 we will also need to set up a web server so that our template payload file can download the beacon.bin payload file from the web server we can do it with python let's execute it we will need to specify the web server Port which is 8 000 as well as the name of the payload file which is beacon.bin [Music] as shown in the screen we are able to successfully get a reverse shell with Windows Defender all turned on this is pretty impressive we are able to bypass Windows Defender by making use of publicly available source code and mixing it together oh no after executing some commands it seems that Windows Defender is able to pick it up this is very likely because we are using a reverse TCP Shell Code instead of a encrypted https payload we can try and bypass this detection by making use of https payload instead this means that the traffic sent and received by the reverse shell will be encrypted Instead This Will very likely help to bypass Windows Defender let's try and do that we can generate a https encrypted payload file with msf Venom let's execute msf console and set the payload to the metaprita https encrypted payload Channel as shown in the advanced option we should be able to set our Handler SSL set to something custom one problem with using the metabritter reverse https payload is that the default Metasploit web server that is started by this payload is heavily signatured by Windows Defender one way that we can bypass this detection is to create our own self-signed SSL certificate and use that instead of the default Metasploit SSL certificate it should be quite straightforward to create our own SSL certificate we are able to create our own tem SSL certificate now let's set our metabritter payload to use our own self-created certificate instead of the default methods plot in one this should be able to help us bypass detection we will also need to set the Stager to verify the SSL certificate we can set it to true [Music] we are now using our own self-signed self-created SSL certificate instead of the default Metasploit certificate when we are generating the payload with msf Venom we will also need to specify the Handler SSL cert option as well as the Stager verified SSL set option we will need to make some changes to our source code and recompile it so that the check sum of the file will be different since Microsoft Windows Defender was able to pick it up previously alright now let's recompile it let's transfer the template exe file over to our Windows machine [Music] now let's try and execute our meta printer reverse https payload file weird that didn't work oh no there is a typo it should be Port 8000 instead of 8443 because that is where our python web server is running hosting the beacon.bin payload file let's execute it again awesome we are able to get a working metaprita reverse shell this is great as shown in the screen there is no detection on our Windows Defender we are also able to perform a quick scan to verify that it is indeed bypassing Windows Defender completely now the moment of truth let's execute some commands to see if it works [Music] awesome we are able to execute the get uid command and we can see that this is indeed a functional metabritter reverse shell this is great let's hop over to our Windows 10 machine there is still no detections and no alerts we have successfully bypassed Windows Defender obtaining a metabritter reverse shell this is possible by using publicly available references as well as creating our own self-signed SSL certificate used by the metabrita reverse https payload all of the references used in this video will be provided in the video's description so be sure to check it out it is highly recommended to go through the references you should be able to build your own custom bypass by mixing the files and maybe even creating your own function within the source code I hope you all have enjoyed the video please help to like the video and subscribe to the channel it will really help out the channel a lot thanks all I will see you all soon in the next video bye

Info

Channel: Gemini Cyber Security

Views: 9,890

Rating: undefined out of 5

Keywords: ethical hacking, hacking, ethical hacker, hacker, vulnerability, bypass, security assessment, penetration testing, penetration tester, web app security, network security, cyber security, it security, offensive security, red team, red teaming, vulnhub, oscp, how to, learn hacking, crest, wargames, learn linux, linux, kali, overthewire, overthewire.org, bandit, bandit overthewire, blackhat

Id: 4ntO_9kk23E

Channel Id: undefined

Length: 12min 11sec (731 seconds)

Published: Sun May 14 2023