From Detected to Undetected
Last updated
Was this helpful?
Last updated
Was this helpful?
It's a boring weekend, and it's so cold outdoors. So let's play a little bit with VirusTotal.
What we are going to do right now is to take a detected sample of the antivirus and make it undetectable.
VirusTotal aggregates many antivirus products and online scan engines to check for viruses that the user's own antivirus may have missed or verified against any false positives. Antivirus software vendors can receive copies of files flagged by other scans but passed by their own engine to help improve their software.
Our sample choice is ".", coded by .
First, let’s check our sample with VirusTotal for first time before doing anything.
The easiest thing we can do first. It is changing the names of the variables with random names.
Let’s scan again now with our friend.
Let's try to add backtick between the commands. Then we'll see if VirusTotal can catch it or not.
Escape sequences begin with the backtick character, known as the grave accent (ASCII 96), and are case-sensitive. The backtick character can also be referred to as the escape character.
Escape sequences are only interpreted when contained in double-quoted (
"
) strings.
`0
Null
`a
Alert
`b
Backspace
`e
Escape
`f
Form feed
`n
New line
`r
Carriage return
`t
Horizontal tab
`u{x}
Unicode escape sequence
`v
Vertical tab
So, we must be wary of where we set the backtick. We don't want to break our commands.
When we escape, "a" with backtick means alert PowerShell (who`ami
), and when we escape "f" with backtick means form feed (ipcon`fig
), so both commands break. And when we escape the other character, commands don't break because then characters do not render the special meaning.
To make the picture clear to you. See the following image.
Let's continue and add backtick to our code.
Upload it to VirusTotal again and scan it.
Really, I'm disappointed! We want to play more, but "No security vendors and no sandboxes flagged this file as malicious.”
It's time to test our code to bypass Windows Defender and get a reverse shell. To make sure everything is working correctly.
It works fine.
Sometimes, we may not need much to do to avoid antivirus software! We could bypass all the antivirus software by changing the variable names and adding some backtick to the code like what you saw before.
VirusTotal’s showed that 18 security vendors detected it. Let’s play now.
Fourteen security vendors were flagged as malicious on . Hmm, there is progress! With a few changes, we bypassed four vendors. Let's continue.
If we go to in VirusTotal’s report, we will find the “Powershell Info” section. We will see that VirusTotal identifies the cmdlets used in our script.
PowerShell supports a set of sequences that are used to represent characters that aren't part of the standard character set. The sequences are commonly known as escape sequences.
As shown in the result. does not detect cmdlets that are used in our script! The backtick was helpful.