modern av evasion with shellter
i’d used shikata-na-gai and hyperion in the oscp labs with good effect, but in reality they are totally busted by modern and up-to-date AV
so i was pleased to be introduced to shellter. i haven’t yet used it a lot, but it’s already the obvious choice for the future!
it can very effectively hide something from AV by taking any 32 bit payload and injecting it into any 32 bit PE. in the training scenario i used it in (putty with a meterpreter revshell), virustotal counted 3 of about 50 AV engines detecting it, with 2 of those being suspected false positives. amazing!
the two main use cases are:
- non-stealth mode: simply to get past AV and execute the payload (e.g. a privesc). in this case the enveloping legit app is not executed, only the embedded evil app is
- stealth mode: perform a client-side attack without the target being any-the-wiser (e.g. trojan a legit app). in this case the enveloping app works as intended, and the embedded evil app goes about its business in the background
in stealth mode, if a msfvenom payload is used, it must have EXITFUNC=thread, otherwise killing the established session will also kill the enveloping app
shellter seems to weave the evil app into the code of the original app, and also tries to run out the clock on an AV’s process monitoring sandbox
the website says it doesn’t make use of code caves, nor does it add/modify PE sections! it’s funny how i’m just about to learn all about all that stuff in the osce, and yet they are already pretty much obsolete, it would seem. still, it’s nice to get in at the ground level and build up — more complete knowledge that way
still, however good shellter is right now, you can bet your bottom dollar that AV engines will catch up, and new techniques will be needed. how wonderful and interesting the world of computer security is!