Defender Bypass

[Builder0]

Есть обфусцированный bat. Что я могу сделать чтобы убрать детект Дефендера?
Могу ли я использовать InnoSetup для создания исполняемого файла который запускал бы сначала скрипт для отключения WD, а после моего bat?

 

[DoppleKSE]

Есть обфусцированный bat. Что я могу сделать чтобы убрать детект Дефендера?

Сменить обфускацию на другой алгоритм

 

[Builder0]

Сменить обфускацию на другой алгоритм

Использовал XOR/AES алгоритмы шифрования, но по результату детект с WD остается и помечает файл как дроппер

 

[Builder0]

Можно ли использовать msi для запуска bat и vbs файлов или только для исполняемых файлов (.exe)?

 

[DoppleKSE]

Можно ли использовать msi для запуска bat и vbs файлов или только для исполняемых файлов (.exe)?

Посмотри в сторону Advanced Installer, там можно прописывать команды ps и cmd которые будут исполнены до/во время/после установки пакета. Либо любой похожий софт.

 

[Builder0]

Посмотри в сторону Advanced Installer, там можно прописывать команды ps и cmd которые будут исполнены до/во время/после установки пакета. Любо любой похожий софт.

Спасибо

 

[V3SP3R]

Storm Products [Group]

Ethical hacking, spamming tools, blackhat hacker for hire, cybersecurity & professional penetration testing services

t.me

Builder0 Check them out. They have a package to bypass WD, AMSI, smart screen.

 

[redishort]

vbs -> powershell 1-> AMSI bypass 2-> download .bat -> run .bat
powershell commands obfuscate XOR->BASE64->XOR

 

[0x4809234098234]

if Defender still giving issues you need to go review fundamentals my friend -- there are many options. Go view sektor7 courses or redteamoperator1&2

 

[D3str0y3r]

You have to run multiple conversion before final execution.

 

[bg1]

to disable WD you need first a FUD payload then FUD exploit to get lpe after that you can run powershell script or command to add execlution your files path to defender is better than disable it , but still also you can disable it using powershell but this will notify the user

 

[D3str0y3r]

It doesnt work this way.

There are scripts and binaries. Scripts are evaluated for threats by AMSI and binaries are handled by Defender

 

[pierre777reborn]

to disable WD you need first a FUD payload then FUD exploit to get lpe after that you can run powershell script or command to add execlution your files path to defender is better than disable it , but still also you can disable it using powershell but this will notify the user

very interesting, that's more if you want persistence right? For a stealer you just need: loader --> powershell command that runs stealer in memory
Or I'm wrong?

 

[bg1]

very interesting, that's more if you want persistence right? For a stealer you just need: loader --> powershell command that runs stealer in memory
Or I'm wrong?

yes and before running the image using powershell you need first to bypass amsi , you can inject dll to powershell to bypass amsi

 

[pierre777reborn]

yes and before running the image using powershell you need first to bypass amsi , you can inject dll to powershell to bypass amsi

bypass amsi to have admin privileges? how to do that

 

[s0nus]

yes and before running the image using powershell you need first to bypass amsi , you can inject dll to powershell to bypass amsi

No. You don't need to load DLLs to bypass AMSI.
See how to bypass AMSI at https://amsi.fail.

if Defender still giving issues you need to go review fundamentals my friend -- there are many options. Go view sektor7 courses or redteamoperator1&2

This talk also provides a lot of good information about inner works in Windows Defender.

 

[bg1]

bypass amsi to have admin privileges? how to do that

not bypass amsi to get administrator , bypass amsi then execute lpe exploit

No. You don't need to load DLLs to bypass AMSI.
See how to bypass AMSI at https://amsi.fail.


This talk also provides a lot of good information about inner works in Windows Defender.

thanks , but i don't need to the thing iam talking about is already tested and sure 100% the loading of dll is just a technique which the dll will patch the amsiscanbuffer

 

[s0nus]

not bypass amsi to get administrator , bypass amsi then execute lpe exploit

What the actual hell you are talking about?))

thanks , but i don't need to the thing iam talking about is already tested and sure 100% the loading of dll is just a technique which the dll will patch the amsiscanbuffer

The language barrier is big there. I was saying that you don't need to load a DLL to bypass AMSI. You can patch AmsiScanBuffer, AmsiScanString, AmsiInitialize and other functions from AMSI.dll directly from powershell. There is no need to load third party DLLs to do that.