top of page


Noah Foster
Noah Foster


Evasive techniques used by attackers, date back to the earlier days, when base64 and other common encoding schemes were used. Today, attackers are adopting new Linux shell script tactics and techniques to disable firewalls, monitoring agents and modifying access control lists (ACLs).


In previous Uptycs Threat Research posts, we discussed the common utilities in Linux, which are generally used by threat actors in the attack chain. In this report, we highlight those common defense evasion techniques, which are common in malicious Linux shell scripts. And then, we outline how Uptycs spots and mitigates against them.

Most of the systems and servers deploy firewalls as a defense mechanism.In the malicious script, attackers try to disable the firewall i.e., uninterrupted firewall (ufw) as a defense evasive tactic. Along with that, attackers also remove iptables rules (iptables -F) because it is widely used for managing the firewall rules on Linux systems and servers. (see figure 2)

The malicious shell script also disables Linux security modules like SElinux, Apparmor. These modules are designed to implement mandatory access control(MAC) policies. A server administrator could simply configure these modules to provide the users restricted access to the installed or running applications in the system.

ACLs, or Access Control Lists, contain the rules by which permissions on files and utilities are granted. Filesystem ACLs tell operating systems which users can access the system, and what privileges the users are allowed. Setfacl utility in Linux is used to modify, remove the ACL, in the script we can see the usage of setfacl which sets permissions of chmod for the user:

One of the malicious scripts (d7c4693f4c36d8c06a52d8981827245b9ab4f63283907ef8c3947499a37eedc8) also contained common utilities like wget,curl used with different names. These utilities are generally used to download files from the remote IP. Attackers use these utilities to download malicious files from C2.Some of the security solutions whose detection rules monitor the exact names of the utilities might not trigger the download event if wget,curl are used under different names.

The script is supposed to have the enemies wander until an empty child 'eyes' sees the player. Then it should start chasing the player. Think pac-man. What it's doing right now is making one loop of it's wander cycle and then stopping and not seeing the player at all.

With the 100th release of TrickBot, the malware came equipped with new and advanced evasive capabilities. One such capability is its use of an obfuscated batch script launcher to jumpstart malicious executables.

Hammond notes although antivirus products could easily scan plain-text batch scripts, the fact an attacker has gone through multiple steps to obfuscate a simple one-line command would make it virtually impossible for an "off-the-shelf" EDR or signature-based antivirus product to detect such samples.

Furthermore, the researcher told us, since all of the characters in the batch script were ASCII printable characters, rather than binary code, it was easier to transmit the script over the wire while bypassing the scrutiny of antivirus programs.

Once installed, simply go ahead and jump into Roblox, then fire up Evade as well as the downloaded exploit. Next up, copy and paste any of the Evade scripts listed above into the box found within the executor.

UNC2165 has leveraged multiple Windows batch scripts during the final phases of its operations to deploy ransomware and modify systems to aid the ransomware's propagation. We have observed UN2165 use both HADES and LOCKBIT; we have not seen these threat actors use HADES since early 2021. Notably, LOCKBIT is a prominent Ransomware-as-a-Service (RaaS) affiliate program, which we track as UNC2758, that has been advertised in underground forums since early 2020 (21-00026166).

Now we can do the same thing, only this time using PowerShell instead. Generate your favorite PowerShell base64 encoded payload. Let me guess, you probably want to use PowerShell Empire ( ) which conveniently includes a base64 script as the client-side agent!

BATLoaders are initial access malware thriving on legitimate batch and PowerShell scripts. It delivers other malware; however, it all depends on one communication such as an email that contains the BATLoader. If that email is not accessed or the link is not downloaded, the campaign will be unsuccessful.

Remote Access Trojans (RAT) are spyware that lets a cybercriminal gain access to any infected system remotely to steal data, control the system, encrypt data after launching ransomware, etc. With administrative privileges, RATs can evade detection and hide under the PowerShell script. It can gain persistence and schedule tasks on the systems as the cybercriminal requires to further launch attacks successfully.

The embedded macro inside the document (907012a9e2eff4291cd1162a0f2ac726f93bad0ef57e326d5767489e89bc0b0a) executed multiple set of commands to download a powershell script that loads the malicious executables using [Reflection.Assembly]::load cmdlet as shown in figure 3:

Roblox Evade Script Hack is getting popular day by day so we decided to release a hack for Roblox that will blow your bind because our evade script is the best hack ever created it has tons of features that you can use and enjoy without getting banned.

Our Hacks can help you get an edge so that you can dominate everyone and get better in the game without anyone finding out that you are using any kind of hacks. At gamingforecast we aim at providing the best roblox scripts and hacks so you can enjoy the game even more.

The Cybersecurity and Infrastructure Security Agency and FBI published a joint advisory on Wednesday with guidance and a recovery script in response to the ongoing ransomware. On Thursday, the agencies said they were tracking new variants.

There are countless tutorials online that show how to use Netstat and Tasklist to find an intruder on your computer. But with a few PowerShell functions, it's possible for a hacker to evade detection from the almighty command line.

Event-Triggered Execution: Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1) is a script that runs when PowerShell starts. ...

If the connection to the compromised device uses a PowerShell one-liner, the output may appear as shown above. Generally, "Undefined" policies complicate things for an intruder, as it means PowerShell scripts won't execute by default. And, therefore, this attack wouldn't work. The Process defined as "Bypass" is a result of how the reverse shell executes. Changing the Process policy won't help us in any way.

However, it's common for users to modify the CurrentUser and LocalMachine policies to allow PowerShell script executions. Similarly, sysadmin's will sometimes set global Bypass policies for all employees. Permissive policies like RemoteSigned, Unrestricted, or Bypass make this attack possible.

For an in-depth explanation of the different policies and their effects on the operating system, be sure to review the official documentation. Let's talk about PowerShell profiles now that we're sure script executions are possible.

PowerShell profiles are scripts that execute when a new PowerShell session starts. That includes PowerShell ISE sessions. For readers familiar with .bashrc and .bash_aliases in GNU/Linux, PowerShell profiles are the same concept. The profiles are a convenient way for power users and developers to automatically load custom functions, variables, and modules with every terminal that's opened.

As a final example, let's hide files from ls and PowerShell's Get-ChildItem cmdlet. In the Windows 10 temp folder, there's a "tokyoneon.ps1" script containing malicious code.

Aliased to ls, dir, and gci, the nefarious "Get-ChildItem" function will replace all of the commands in a PowerShell terminal. As shown below, the "tokyoneon.ps1" script no longer appears in the dir output.

Indy discovers Marion is alive, bound and gagged in a tent, but does not release her for fear of alerting the Nazis. Indy, Sallah, and a small group of diggers unearth the Well of Souls and acquire the Ark after also using their wits to evade an endless pile of vipers.

This month, our Malware Research and Incident Response teams wrote about several malware techniques that attempt to evade detection by focusing on small changes that website owners might miss. Examples include typos in domain names, unused top-level domains (i.e. .com, .solutions), and delayed banner ads.

While Emotet continues to abuse Microsoft Office to deliver the second stage through malicious macros, attackers are now using a technique known as binary padding, where junk bytes are added at the end of the file to increase its size, to evade security solutions that do not scan large files.

A malware campaign that uses a polymorphic HTML application (HTA) and a polymorphic backdoor to evade detection has recently been observed by security researchers. As reported by researchers at Kaspersky, the campaign can be traced to the advanced persistent threat (APT) group Cloud Atlas (aka Inception), whose activities were first reported in 2014 and have recently been identified in relation to attacks on various organizations in Russia, Central Asia, Europe, and Portugal.As in its previous iteration, the routine used by Cloud Atlas begins with phishing emails to high-value targets. These emails have Microsoft Office document attachments that contain malicious remote templates, which are loaded from remote servers. This technique allows the documents to bypass static analysis and makes forensic analysis difficult if the servers hosting the templates are down.

Polymorphism and PowerShell abuse for malware propagation and infection are not new. Threat actors have been abusing new scripting languages, for example, to make it difficult for enterprise IT teams to seek, monitor, and defend against these threats. Trend Micro researchers have been tracking such evasion and infection techniques. 041b061a72




  • Masami Arai
  • jsimith6912
  • Reno Smidt
    Reno Smidt
  • Maruvs Maruvs
    Maruvs Maruvs
  • Anil Hiremath
    Anil Hiremath
bottom of page