Meterpreter Reverse Shell Complete EDR Bypass

Recently was working on a research and realized that the XOR/AES encrypted self-payloads for meterpreter shell, is detected by the Defender. So, to bypass the this, a different tweaking was required here, Now, we all know that the below functions:

VirtualAllocEx() , WriteProcessMemory(), and CreateRemoteThread() is very much required and are most monitored functions by any AV while calling them during the runtime even, as Defender will directly inject all its payloads at every suspicious location (say encrypted memory locations here) in the beginning, at the end of calling it, and wherever Defender like it.

Therefore, the tweaking was like this:

i) Calling the functions as string defining the WINAPI modules,
ii) Then defining the functions by directly calling the fresh Kernell32.dll
iii) Now, store the array of these strings as an encrypted mode and then define it like a pointer from the heap to the stored payload.

And now run the malware and it has bypassed the meterpreter completely. Also, to verify this, I attached it to the most privileged process "Explorer.exe"

PS - This is for educational and Red-team purposes

Add me on below Social platforms:

Linkedin - www.linkedin.com/in/deepanshukhanna/
Facebook- www.facebook.com/deepanshu.khanna17/
Instagram - www.instagram.com/erdeepanshukhanna/

#malware #malwareattack #malwarebytes #redteam #red-team #redteamthinking #malwareanalysis #malwareanalysistutorial #meterpreter #metasploit #msfvenom #msfpayload #kali