After a time searching for good rats, i didin't found many rats bypassing runtime scan/analysis. So, i think, why not use C2/Post explotation tool as Rat?
After took this ideia, i realized that powershell empire was a good Post explotation tool in old days (av/edr/xdr wan't used a lot) so i decided to use.
First, i created one vps for hosting the actually c2 and another one to make cloud front. Then, i got a domain in freenom.com (Register with onion mail and tor!) and registered at cloudflare too (Same that in freenom!). Then i pointed the domain to cloudflare and then to the vps. So on, i setuped Powershell Empire into the second one vps, created a HTTP listener, cmd_exec stager (x86 arch, **don't** use safechecks and bypasses, change the stager url to domain!).
Checking at avcheck.net i got 21/26, at hybrid-analysis i got 90% malware.
To bypass that, i have used Shxixware Crypter to stub the agent, after that i got 0/26 at avcheck.net and 1% malware at hybrid-analysis. I could use vnc/browser stealer modules as well without problem.
You can get Shxixware crypter from here: https://xss.pro/threads/76460/#post-528877
Note: don't use safechecks because most edr/xdr solutions already detect it. The bypasses are very old and don't work (At lest in my Windows 10 Pro doesn't work).
After took this ideia, i realized that powershell empire was a good Post explotation tool in old days (av/edr/xdr wan't used a lot) so i decided to use.
First, i created one vps for hosting the actually c2 and another one to make cloud front. Then, i got a domain in freenom.com (Register with onion mail and tor!) and registered at cloudflare too (Same that in freenom!). Then i pointed the domain to cloudflare and then to the vps. So on, i setuped Powershell Empire into the second one vps, created a HTTP listener, cmd_exec stager (x86 arch, **don't** use safechecks and bypasses, change the stager url to domain!).
Checking at avcheck.net i got 21/26, at hybrid-analysis i got 90% malware.
To bypass that, i have used Shxixware Crypter to stub the agent, after that i got 0/26 at avcheck.net and 1% malware at hybrid-analysis. I could use vnc/browser stealer modules as well without problem.
You can get Shxixware crypter from here: https://xss.pro/threads/76460/#post-528877
Note: don't use safechecks because most edr/xdr solutions already detect it. The bypasses are very old and don't work (At lest in my Windows 10 Pro doesn't work).