Creating a .EXE Binary that FULLY Evades Windows Defender (AGAIN!) in 2024!
Vložit
- čas přidán 4. 01. 2024
- Join the Hack Smarter community: hacksmarter.org
--- AV Evasion is a cat & mouse game. In this video, I become the mouse who evades the cat (again) by creating a .exe binary that fully evades Windows Defender and provides the attacker with a stable reverse shell. This is working as of January 5th, 2024.
Here are the resources mentioned in the video:
Powershell Script: github.com/gh0x0st/Get-Revers...
ps2exe: www.powershellgallery.com/pac...
THM Stealth Room: tryhackme.com/room/stealth
Happy hacking! - Věda a technologie
Nice. I have not seen your channel before but I am subbed now. This was a perfect mix of explanation and being concise.
This is dope! Thanks for the great video, you just earned a new subscriber!
You are a saint sir. It is so difficult to find relevant pentesting content that is applicable to the real world and not just a lab environment. THANK YOU! As of January 14th this works, however within a few seconds of getting the shell Defender notices and kicks you out.
Edit: It's actually a bit spotty, the first time I tested it I lost the shell in a few seconds. The second time I tested - I maintained the shell for as long as I wanted. Time to see if we can get an obfuscated meterpreter shell to run in memory successfully so that we can dump the SAM.
Great vid!!Will try this later this afternoon👍🏼
Cool video! Love your content! Would be looking forward to more interesting contents in the future! 😊😊
That is absolutely insane. Have to try it out on my home lab
Quite informative!!
Awesome as usual
Letttsssss gooooo, that was awesome.
Thank You!
Discussed this technique today in class. Tried and it worked. Thanks
Wow, that's awesome! Did the teacher use this video, or did you just stumble across while looking into the technique?
@@TylerRamsbey He suggested it. I came here watch your video and implemented it.
Awesome!
Awesome
Great Video as usual, you dont have near enough subs.
When you execute pwsh reverse shell on memory, can AMSI detect that?
We have to disable it?
Still work perfectly, but how tf do you escalate privileges ? I can't transfer the shell to a meterpreter, or download any file through it. I can only do basics windows commands like cd, dir, etc (while i'm 100% sure on a Powershell shell)
But doesn’t windows warn, that the file could be milicious?In the new versions windows even „flags“(not sure what exactly it does) files inside of downloads zip files(as long as you unzip it with explorer)?
I actully worked, I tried 2nd time it failed. Not it any OS in my network. By the way Loved your concept.
@Tyler Ramsbey you said it's important for pentesters to have a Windows virtual machine. My laptop has a maximum of 8GB RAM and I am therefore running Kali Linux as the host OS. I have Windows 7, Windows 10 and Windows 11 iso files I can use. Which would you recommend I install as a virtual machine on my pentesting laptop?
10
Would this type of stealth evade other anti-virus packages like Sophos, Eset, Bit Defender, etc?
What rule can one put to detect ?
so it's been 4 months now but it'll work as long as you dont touch the disk since defender is super stupid. i wrote a simple dropper in C over smb today (april 1st) and loaded the raw shell over straight into memory - defender is silent. didn't obfuscate the dropper executable. Not april fool's. in fact i think it could work over https too
How to do for Mac Machine ?
what about smartscreen?
Is this relevant to OSEP?
At the moment that the victim try to download that .exe, Windows Defender is gonna tell the victim that this is a virus
Use c# bro .
@@Jamaal_Ahmed use c# in which part?
please help tyler! how do I fix: 1. a parameter cannot be found that matches parameter name 'Url' 2. Exception calling 'GetString' with '1' argument(s): "Array cannot be null. Parameter name: bytes" and 3. Cannot bind argument to parameter 'Command' because it is null. Thanks
Bro use chatgpt to fix error
I have the same problem
Just curious, would an attack like this always be detected by the top AV's such as Kaspersky and BitDefender?
tried it on avira and avast premium av and it bypassed it, but kapersky and bitdefender didnt... custom coded payload will have no bad signatures so it will bypass it.
Lol I hate to be this guy. And I love your content. But it's such a love/hate feeling. Because we can only find so many unpatched holes in the wall before the wall is eventually sealed up tight. Lol I watch your videos and they work 100% which says a lot. And then a month later defenders onto us lol
Nope. Defender caught it
Need to show windows defenders settings. Defender has ASR that prevents downloading of scripts. Was that enabled?
Yes. Worked on this as well as my host OS which is Windows 11 Pro with everything enabled
@@TylerRamsbey With everything enabled with Intune Windows Defender this is blocked. Running the exe or copy and pasting the downloads script get "Invoke-Expression: This script contains malicious content and has been blocked by your antivirus software. " Thanks for the information. I enjoyed trying this. ASR rules with the block! Not sure if ASR available or enabled with out Intune.
Security.Microsoft reports "Suspicious sequence of exploration activities" & "An active 'PsObfus' malware in a PowerShell script was prevented from executing via AMSI"
Is a way to load it in like a pdf file while still executing ps1 script?
Of course, they'd just download and run the extra file (probably from the temp folder) as well as their own code to get in.
@@WindowsDaily Oh, That's pretty cool because it would basically cover it
How? I created a simple ps1 file by writing [ Write-Host "Hello" $null = Read-Host ] but as soon as I convert it to an exe file, Windows Defender detects it as a virus 😅
Hahah 😂
Is this also undetectable on Windows 11? didnt try it yet
Yes
No, not a fully patched Machine. Just tested in on 21H2 and it was fine, but gets blocked on 22H2
Once again, AV Evasion techniques usually only last a few weeks until they are patched - especially when the technique is made public.
Windows Defender blocked 😢
Windows doesn't seem to detect netcat x64.exe, but it does detect netcat x32.exe. I don't know why this is
Detected by kaspersky ;)
Av doesn't detect the executable because you created it, try downloading it from a web page using chrome then av will detect it easly
README - you can literally ask chatgpt to make you a reverse shell and listener and for some reason it evades defender use pyinstaller to turn to exe if you want still evades
Can you send me more details about this please
this is so simple, anyone can do this. wow.
dang downloading the stage 1 got detected aint no way google detected and windows immediate action of blue screen
AV Bypasses usually only last a few weeks or a month -- they quickly get detected when released to the public (like this one).
@@TylerRamsbey ye didn't expect to patch that fast hahahaa 😂 they sure are undefeated man I swear be going weeks straight and not be able to do it. Although what I managed to do is bypassing all anti virus application which is just impressive to me but I can't forget that I can't bypass windows
not working anymore
really
Well just to update everyone. Windows defender caught me the second i tried to save the .exe to my desktop. Got the notification and a few seconds later it deleted it from my desktop. Lol i find it ironic that you have a "shush" face on this video while youre actively telling the entire world. And yet again this method is now obsolete. Only took a few months.
That's how AV Evasion works -- it's a cat and mouse game. Also, I'm on the ethical side of things. I'm totally fine with Windows Defender picking up on this now. I have other methods I use for pentesting that I do not share with the public.
@@TylerRamsbey so what happens to cybersecurity when inevitably every vulnerability is patched? Seems like we ain't too far away. Everything will be secure through automated processes and then our whole industry will be legacy not just the programs. Seems like everyone was a hacker until hackers started going to jail and now everyone wants to be on the cybersecurity side. When you got a million guards in one area eventually the areas impenetrable. Then the guards are just standing around with their thumb up their ass.
It gets detected
Yup, that's the cat & mouse game of AV Evasion. Usually if you find a method to evade and share it with the public, it will be patched within a few weeks.
That windows version looks old.
It is Windows Server because I didn't want to share my host OS on stream. That being said, it also worked on my host OS which is Windows 11. But due to the nature of AV Evasion, this is now detected by Defender.
Generally when you find an AV Bypass and release it to the public, it will only remain valid for a few weeks before it's patched.
man I thought it was going to be actual coding, not script kiddie stuff
First comment thanks bro
Thank you for the support!
patched