Meterpreter Great Again

Or, How to bypass defender with metasploit/meterpreter shellcodes in 2023

Is meterpreter really necessary ?

Let's say you have an RCE, on a windows 10 fully up to date machine and you want to have a shell on it.

Nowadays, there are a lot of custom tools to play with, but whether you like it or not, you can't say that Meterpreter is not powerful.

I also like to use custom-made reverse shells developed in C or C++. However, when you need a tool for lateral movement or pivoting, you need something more powerful, like a command and control. Although there are excellent tools like Sliver, Meterpreter is quite capable because it comes with the whole Metasploit Framework, including all the MSF payloads you want to inject into your victim’s machine trough the reverse shell. Or if you have the budget :) , you could opt for the famous Cobalt Strike.

But everyone would tell you that "You have no chance to bypass the feared o_O Windows Defender with a Meterpreter payload.”

Let's verify if this is really true :)

Yet the short answer is no, this is not necessary, but it would be fun to bypass Defender even more with a  Meterpreter payload :)

How defender works

The real basic operation is to compare the static signature of a binary with a database of signatures from varius malwares and if the signature matches the binary will be put in quarantine

So if I generate a classic meterpreter payload…

If I execute it, Windows Defender will immediately catch it since all basic Meterpreter payloads are already known from these databases.

Is running a meterpreter.exe the only option? Of course not. Another way is to export a meterpreter shell code and run it within a custom program.

Let's generate a shell code and see what we can do with it.

NB: noticed that I use payloads working over DNS for more “realism” since in real life scenario you wouldn’t use reverse shell going through a 8888 port raw tcp :p

What I've tried

I won't discuss it here, but I want you to know that I've used MinGW instead of Visual Studio, as I encountered some issues with VS. For some reason, it gets flagged by Defender without any apparent reason, even with a simple "Hello World" program. This is a known issue, but I didn't have the time to look into it, so I opted for the friendly MinGW C/C++ compiler instead <3. Now that we have our shell code, let’s try to inject it directly into memory.

NB: shell code is exactly the same it’s just in int format and not char format

As you can see, it is still being flagged by Defender. This means that Defender is able to detect the payload in one way or another.

Let’s try to encrypt the payload

I could have tried something sophisticated but let’s just xor the shellcode

Even with an XORed payload, the it is still being flagged by Windows Defender…. Actually If you want to have a xored payload in a simpler way, just use the famous Shikata ga nai encoder. But if that was sufficient to bypass Defender it would be too easy.

How defender really works

In fact, there is static analysis, but Defender goes a bit further by running its Sandbox malware analysis tool, which is basically a virtual machine totally separated from the main environment, testing the behavior of the program. This is why even our XORed payload is flagged. Apparently, Defender doesn't like a program that injects a code into memory that is doing a reverse TCP connection and has system commands in it. Well, this is actually quite understandable x).

If you test it yourself, you will see that with Defender enabled, the binaries take a bit more time to execute due to the sandbox analysis.

MsMpEng.exe the Windows Defender’s Sandbox program Well, now that we know why our malware is flagged, let's figure out how to bypass it. We know that Defender doesn't like this code injection into memory. What if we don't “always” inject the payload into memory? Let's add some randomness to this malware. since the sandbox execute the malware only once, if the moment it does the analysis the malware doesn’t do anything, the binary will not be marked as a potential malware. And after the that we could eventually execute our malware without any problems.

Scripting a bit

Bypass the Sandbox

NB: I have put 1 on 100 chances to be executed, meaning we have 1 chance on 100 of being red flagged by defender in real scenario we could simply raise the randomness.

No malware detections !

Writing a dropper

Since the main payload has a only certain chance of being executed we need another program that runs it until the malware is being executed.

We could certainly do something more discret and sophisticated but it's just a POC so let's go with a basic infinite loop.

I’ve uploaded the malware in my server to avoid the dropper being flagged by defender itself, since the sandbox is supposed not to take too much time, it will analyse the malware only once and then trust it if no shellcode have been injected.

"Even hiding the window to be under cover :)" yep pretty useless but still fun

Bypassing Defender in 2023 with meterpreter, full poc

Here we are, ready for the demo ?

NB: The payload is a bit long to be executed firstly because of the sandbox, and secondly because of the randomness of our main execution.


Mission accomplished !