In this post, I would like to share a way to bypass AV detection by using HoaxShell which that tool has been created by t3l3machus.

What is HoaxShell?

HoaxShell is a tool that contains unconventional Windows Reverse Shell which can be undetected by Mircosoft Defender. Guys, Don’t worry about the usage of the tool because it seems to be easy to use even for non-Security personnel.

The tool has been tested on the Operating System such as:

  • Windows 11 Enterprise
  • Windows Server 2016 Datacenter
  • Windows 10 Pro

Demo for the tool usage

We are required to download the tool into our attacker’s machine especially Linux operating system.

The command of the tool’s download would be something such as:

sudo git clone

Firstly, we can execute the tools so that any help command that will appear for our guidance.

Let’s create a malicious payload from the tool where we can copy-paste the command on our victim’s machine.

Sadly, it’s a dead-end of the payload where the malicious payload doesn’t work at all.

A few days later, the payload can be executed again when the update has been made.

The tools have worked after it’s updated on the Hoaxshell script

The tools have been updated by the creator and we are required to download them again on the attacker’s machine.

Therefore, let’s execute the command again with some additional parameters such as -i -o

On the victim’s machine, we need to paste the PowerShell command so that the tool will be able to retrieve a reverse shell back to us.

Verify that protection is enabled on the victim’s machine

As we can see in the screenshot above, we managed to verify that all function inside the Windows Defender has been enabled.