I'm really glad that you enjoyed the content and I really appreciate your kind words! Thanks for watching!

Glad you found what you were looking for 😀👍

That is one of the best compliments I've ever received! Thanks and thanks for watching! 😀

Thanks, Firos! I'm so glad you enjoy it!

Thanks, Rubens! I'm glad it was helpful to you 😀👍

I'm glad to hear that you enjoyed the content and thanks for the sub! It is much appreciated 👍😀

Thanks, Moe! I'm always glad to see another satisfied customer 😁 I'm also happy to inform you that there will most definitely be more CTF walkthroughs in the future 👍

Many thanks for the compliment. You're too kind! 🙂

Thanks! I'm glad you found it 😀

Thanks, Anthony! I'm glad you liked it 😀

You're welcome and I'm glad you enjoyed it

You raise a great question, Jorge! The fact is that not all fileless malware is completely fileless. What makes this considered 'fileless' is the fact that the malicious payload is never written to disk. You're correct when you point out that the 'update_script.cmd' file downloads the 'WinSecurityUpdate' file, but it never actually writes it to disk, but simply reads it into memory where it gets executed by PowerShell. The same is true for the 'a1' and 'r1' files. They don't get written to disk, but are read into memory where they are then executed. So the only file that actually gets written to the disk is the 'update_script' file and the only thing that it does is download a file from the internet to execute in a PowerShell script. Now, antimalware systems may be configured to block that type of activity, but this is why we obfuscated that process. Those obfuscations allowed the script to slip passed detection and since the other files are not written to disk they don't get scanned, and even if the antimalware system does scan them, they are also obfuscated so they should also slip passed detection. Also, the 'a1' script's function is to turn off detection. For more info on how fileless malware works you can check out this article from Norton AV us.norton.com/internetsecurity-malware-what-is-fileless-malware..html Great question!!!👍

Check the IP and Port on the listener and make sure that matches the reverse shell coded values. Check for firewalls blocking. When all else fails check the packet traffic with Wireshark. Hope that helps 👍

@@daniellowrie True it was an IP glitch, working like a charm now

@@b.nijjar I'm glad to hear you got it worked out

Thanks, Hamza!

Glad you found it! Welcome 😀👍

@@daniellowrie Thank you ❤ . I hope to see a lot of CTF. And some things about pentesting on the web.

Thanks, mynamejeff! It's more like what LANGUAGES should you learn for hacking. Obviously PowerShell knowledge was useful in this situation. I would also learn Bash and Python. I would have some rudimentary knowledge of some web languages like HTML , PHP, and Javascript. Then go with some compiled language like C/C++ or C#. I'm currently learning Golang as it's super easy to cross compile. The good news is that if you pick something like Python, to start with, then you'll have a very useful language for most tasks, and you'll learn enough of programming concepts to more easily learn other languages.

Thank you so much! I'm so glad you liked the video 👍

Thanks for the sub, War Rior! 👍

I like how you think, Ahmad! 👍

Thanks Crypto Neo, I'm glad you liked it and thanks for watching

Thanks! I'm really glad you enjoyed it 👍 There are zero-click ways to deploy a payload, but that usually involves exploiting some RCE and then just dropping your C2 beacon. I built this "malware" to learn more about obfuscation, droppers, stagers, and AV bypass, so it I tried to have it more closely mimic infection through social engineering (which is typical to a lot of malware).👍

Hey, x-root! Thanks for watching. I'd have to put some time into recreating your scenario to see what might be causing the issue, but keep working on it and you might discover the answer.

@@daniellowrie Thank you... Working on it 😎

Thanks, Abhinav! You are on the right path! Those 3 languages will get you very far for sure!

Hi Rav! It will definitely end up getting popped by Defender and other AV systems. I would suggest making some customizations to the script which could help it bypass AV again.

I don't remember, but the good news is that I have updated that script. It is now NEW AND IMPROVED with 100% more Golang!!! You can watch it here >>> kzfaq.info/get/bejne/gtCfdLlktJqUn5s.html

This was all hand-built and not necessarily with Metasploit payloads in mind, in fact the reason I made this script was because I was having so much trouble with Metasploit payloads, so you might have trouble getting it to work. A few things you could check... Did you select the correct architecture for your target machine? The example payload you referenced (windows/shell/reverse_tcp) is for x86. If your target is x64, you may have better luck with windows/x64/shell/reverse_tcp. Maybe try a stageless payload instead of a staged payload? Are your payloads formatted for powershell? Not sure if any of those suggestions will work, but may be worth a try.

Thanks and much love back to all my followers in India! 😀👍

That should work

@@daniellowrie great👌

1) You port forward to the machine that is running your listener 2) If you're target is shoveling a shell across the Internet, then you'll need to set the IP to your external IP and the port you set up for forwarding 3) The IP scheme 192.168.x.x is a private IP range that isn't routable and is only used for internal devices, so you would only find a site at 192.168.x.180:8000 if one of your internal network devices had that IP and was running a service on port 8000 4) Not sure why malware size would be important. All the scripts used in these scripts are less than 2k in size and they slide right by Windows Defender without any issues. The thing with detection is usually signature and behavior. You can literally make an empty file and name it mimikatz.exe and it will get popped by Defender.

Javascript is used a lot in web app scripts, but it's not the only language. You also can see ActiveX, Java, VBScript, Flash, and HTML. I will say this, the more Javascript you know, the better you'll be at finding and exploiting XSS, but you can use things like XSS Polyglots to help you test and bypass filters until your javascript skills are better. I hope that helps answer your question.

This kind of malware is difficult to detect due to the obfuscations, but some good countermeasures would be to disable PowerShell if at all possible and if not then to log PowerShell use and have email alerts set up when a PowerShell command is executed. You can also strengthen your egress filtering on your firewall to make it more difficult for the shell to connect. Lastly, make sure you're using IDS/IPS along with an updated AV/Antimalware/EDR solution. This script works well in the video, but it won't be long before samples are submitted to security firms and new AV signatures are created for detection. It's a cat and mouse game between attackers and defenders when it comes to detection and bypass.

Great question! Now please, keep in mind that this video is 2 years old and was meant to be more of a proof-of-concept/personal learning experience for me, the goal being "Can I bypass MS Defender detection specifically" and not other AV or EDR, so yeah, this is a super jenky thing. That said, fileless malware is indeed still quite popular. LodeInfo and HeadCrab are just 2 examples in my recent memory. The good news is that EDR and AV are getting better everyday and are making malware-based attacks much more difficult, but APTs keep modifying the way they behave and creating novel malware which is able to bypass AV/EDR detection, creating a bit of a "Cat and Mouse" game between threats and security vendors.

@@daniellowrie Dude thank you for this response, so thoughtful and crafted for me! You do an amazing job teaching and producing videos 10/10. Wishing you nothing but the finest and greatest of success, Love you bro!

I appreciate your comments and kind words,@@gooniesfan7911 ! You asked a really good question, so I'm happy to do my best to answer you directly. Glad you're enjoying my content and thank you so much for watching!

I hate to hear that you're having issues with your system and I wish I could tell you what's wrong, but without more details that is an impossible task. My suggestion is to work the problem using the standard troubleshooting methodology. Start with the basics then work your way up to the complex. You'll do a lot of googling, but this is how you build the skills and experience of a seasoned hacker. Keep trying and don't give up. Best of luck!

Gold star, Johnson David! The 'fileless' part of this type of attack is that the malicious payload is never written to disk, but is downloaded and executed in memory. Your idea about using sleep to prevent the AV system from detecting is also spot on. Unfortunately, this has started to get picked up by AV, so using sleep can get a file flagged as malicious. A way around that is to make the 'malware' perform a mathematical computation or some other process that will cause a time delay without using sleep.

Thanks for your response... I was actually thinking of this at first, about letting it perform some other task that will delay it before it starts running. But I couldn't think of any, none comes to mind.. Can you suggest any?

@@JD-qi3pk A simple way that I do it is to use the date/time. I create a variable with the current datetime plus however many seconds I want to wait. Call that 'time1'. Then I create a while loop that checks the current datetime and compares it to 'time1'. The loop continues while the current datetime is lessthan or equal to 'time1'.

@@daniellowrie i could use the word "trickish" this should do a bypass. Because its could be really confusing. For windows. Even for me, I'd I've to think out the box to figure this one out. A little help would help a lot, if you would. Can I send you an email?

@@JD-qi3pk I sure don't mind trying to help, but I'd rather the conversation stay here so that everyone can benefit from the discussion 👍

It's an honor to have you as a fan, Mr Alderson 😎👍

even the update_script file does not runs

I would say to just make sure that all your devices are able to communicate and that all your settings are set correctly. If you're getting a 404, then the update_script is trying to access a page that doesn't exist, or isn't in the directory where you are running the python http server. I'd start there. Hope that helps 👍

You guessed it, Dilan 👍 The Kali machine is being run in VMware Player and I just full-screen it on a different desktop. That is how I can just swipe from one system to the other.

Sorry to hear you're having trouble. I found this link that may be able to help you out. support.microsoft.com/en-us/topic/-windows-cannot-access-the-specified-device-path-or-file-error-when-you-try-to-install-update-or-start-a-program-or-file-46361133-47ed-6967-c13e-e75d3cc29657

You can just either change the extension of the file or add it to a zip archive and attach the zip. 👍

@@daniellowrie Thank you . But which extension is accepted to be uploaded on email? Any suggestions ?

@@laughoutloud1028 you'll have to test the system to see what makes it through 👍

I'm thinking about making a v2.0 of this and maybe that should be how it gets delivered.

@@daniellowrie I hope you have the time to do more videos,, ur teaching style is amazing! Do u have an online courses apart from what's on KZfaq

Thanks for the compliments, Nas! I do training for ITProTV ( itpro.tv ) where I teach a wide variety of cybersecurity topics, mostly focused on ethical hacking and pentesting though.

Thanks, Jeff! My kids got that shirt for me for my birthday. I think they got it from Target.

That might be doable. I'm short on free time right now, but I'll put it on my short list of cool KZfaq ideas. Thanks for the suggestion 👍

Thanks for the heads-up, Brent. Someone reported to me a few months ago that it was still working on both Win10 and Win11, but all good things must come to an end I guess LOL. That just means that update.exe v2.0 needs to happen, so that we can all enjoy those wonderful shells once again! 😁

Sorry to hear that this isn't working for you and the steps are vendor agnostic and should work in Kali as they are. Do you have any guess as to where things might be going wrong? If so, maybe we can troubleshoot

@@daniellowrie do you have a email so i can show you my screen shots

dlowrie@protonmail.com

Sounds like a solid plan!

Not sure if I can help, but I'd start with verifying that the two devices can communicate over the network first. Check windows firewall. Can you browse to the kali web server with Chrome/Edge/Firefox?

Not a bad idea, Navien. Spoiler alert! I'd use ngrok or some cloud-based instance to catch the shell. 👍

same question but my comments keep getting deleted

ngrok is a fine way to make this public. You could also spin up Metasploit in some cloud instance on AWS/Linode/DigitalOcean/etc.

That's a cool idea! Not sure if I can pull it off, but it's definitely something I want to learn and will make a video about as soon as I do 😅👍

@@daniellowrie thanks Daniel ❤️

That's funny 😂 . I'm pretty sure you're kidding, but seriously, don't do that. It's a quick way to find yourself getting real friendly with your new cell-mate. Repeat it like a mantra...Only hack systems I have own, or have permission! Only hack systems I have own, or have permission! Only hack systems I have own, or have permission! Only hack systems I have own, or have permission!

ok. good video btw

You would just need to change all the attacker IPs to be your ngrok URL. Ngrok has been mentioned a fair bit and rightfully so. Maybe it's time I do a video showing how to use it with something like this.

Right! How is malware that in any way utilizes files considered "fileless". I had the same question myself when I was learning about fileless malware and it seems to have some semantics involved in its definition. So, many fileless malware examples will utilize some RCE or other vulnerability to download, load in to memory, and execute their malicious payload. But some use a delivery mechanism such as a malicious macro in a Excel or Word file, or a temporary file. These files don't do any "malicious" per se. All they do is use PowerShell, or WMI, or some other built-in functionality to download and execute "something" from the internet (the malicious payload). Now, these things would also unalive themselves after run time (a step I left out of my example), leaving little to no trace to be signatured. So this is really a sub-type of fileless malware and not a pure fileless malware, but still gets kinda rolled-up into the "Fileless" moniker in general conversation. It seems a lot like the term "Red Team" with how we tend to call ALL things offensive cybersecurity "Red Teaming" and while not perfectly accurate, it is typically accepted in everyday conversation.

@@daniellowrie oh, I understand, thanks for the info, I thought the term only referred to malware that ran completely on memory

No problem! Thanks for the great question and for watching 😀

Sorry to hear that, Igorne. Are you getting an error, or is Defender stopping it? Could it be a networking issue like wrong IP and/or Port? Can you see the scripts getting downloaded from your Python HTTP server? Did you verify your base64 encoding?

Looks like your base64 has gotten a little wonky. How are you generating the base64 string? and can you paste that string here so we can see it?