Can this BYPASS Windows Defender???
ฝัง
- เผยแพร่เมื่อ 17 มิ.ย. 2024
- If you're learning cybersecurity, specifically any kind of offensive security (ethical hacking, pentesting, red teaming) then you've probably had a run-in with Windows Defender at some point.
It actually does a decent job for what it is and can be a real pain when you're trying to pull off some hack that involves downloading a "malicious" script or program to your target just to wave goodbye to it as Defender promptly ejects it from the system.
Well I wanted to see if I could get around Defender and get shell, so I fired up my favorite text editor and started writing a bit of "fileless" malware using Golang.
After a few days of pure frustration and learning (aren't they really the same thing?) I was greeted with a lovely PowerShell prompt from my target system and Defender was none the wiser.
I present to you "SecUp"
SecUp's Github Repo: github.com/daniellowrie/updat...
#cybersecurity #ethicalhacking #hacker #pentesting #penetrationtesting #blueteam #informationsecurity #cyber #infosec #kalilinux #malware #malwareanlysis #redteam #c2 #ethicalhacker #metasploit - วิทยาศาสตร์และเทคโนโลยี
Daniel , keep up the good work
Thanks! And thanks for watching 😀👍
Very neat ! Impressive skills you have
Thank you very much! 😀
Great stuff, thank you for sharing, and great insight as always.
Thanks, Wayne!
interesting, good video 👍
Thanks! I'm glad you enjoyed it 😃
Pretty neat. Can you speak to what specifically gets this around Pret(Def)ender? Is it just that it doesn't understand golang so well? So all of its triggers that tell it "hey buddy, this is likely a rev shell" are likely based on vb/python/powershell/cmd?
Great question! So some of it is golang, although a lot of malware is written using go so sometimes even a simple "hello, world!" app will get flagged as malicious. The other things that helps this work are the obfuscations and the fact that most of the "malicious" stuff is executed in memory. I didn't go crazy with the obfuscations, or with using techniques that would help it avoid behavioral detections, but I plan on continuing to refine this so that it can take on the modern EDR/XDR systems. 👍
I was thinking he's up early but then I remembered. I live off a totally opposite pond, anyway Happy Monday.
Happy Monday, bro! Hope you enjoy the video 😃
Watching you from ghana...much love boss
Thanks for watching and commenting 💯👍
Nice video Daniel... I tried that script 1 month ago ... I got netcat connection but i tried so many things to priv escalation or vnc connection but i didn't find any way 😢 if you can you make a video on post exploitation will be helpful 😊
Priv esc can be fun LOL! Here's a great github repo with a ton of great Windows Priv Esc techniques, tools, and articles to help you in the mean time. github.com/emilyanncr/Windows-Post-Exploitation#privilege-escalation-guides/wiki
pretty cool
Thanks! Glad you liked it ☺️
you are good at talking
Thanks 😀👍
Last time I saw you were using parrot os now it is Zorin OS, will you make a video on shifting from parrot to zorin
Good eye! Technically I didn't switch. I still run Parrot, but for this script I had been building it on my Zorin workstation, so I just used remote-desktop to show the screen for the video. I do have plans to make a new video about Pentesting/security-focused distros and have discovered a new-to-me distro that has really impressed me. 😉👍
Can you elaborate more on how the tool managed to bypass the defender? does it work also against kaspersky or avast AV maybe?
Sure thing! It bypasses Defender by utilizing a few techniques.
1) updater.exe doesn't necessarily do anything malicious. It just downloads a file from a web server.
2) since it is custom built Defender doesn't have a signature for it
3) the "malicious" payloads are never written to disk
4) one of the payloads bypasses AMSI
5) the payloads are utilizes obfuscations like string encoding and concatenation
Not sure if it will bypass other AV systems, but I'd love to hear the results from you if you end up testing them 👍💯
Hey i just saw u are doing an Av evasion course with red seige is that behind a paywall i was interested but dont knw if its free cause i saw a sign up for free option in ACI Learning platform ??
Hey @firosiam7786
That course is indeed behind the ACI Learning paywall, but is well worth the ticket price. Mike Saunders did a masterful job of explaining and demonstrating the AV-bypass techniques he uses as the Principal Security Consultant/Red Team Lead for Red Siege. Great stuff!
❤
Thanks for the support 😀👍
Is there an easy way to develop a bypass technique like this? I want to solve it myself because the update is fast. But it's hard because I'm not a great developer.
I feel your pain. I too am not a great developer and building this bypass was a bit of a struggle for me, but I loved every minute of it (well maybe not EVERY minute LOL) and I learned a lot.
So, the best advice I have is, don't look for the shortcut. Don't rob yourself of the knowledge and experience that comes from struggling through a problem and learning/failing your way out of it.
I'm not saying you shouldn't ask for help, but don't look for the "easy way" while you're learning. Put the time and effort into making sure you understand what it is you're trying to do and eventually you won't have to label yourself as "not a great developer" (even though you probably will any way. DAMN YOU, IMPOSTER SYNDROME!!!)
All that said, feel free to check out my code and just modify it for your bypass. Looking at other's code is a great way to learn at a faster pace. I'd even suggest you lean on AI a bit. Since you're learning it can be much faster to learn how to do something using AI, then it is to scour stackoverflow or sift through a book, or hit the right link on the google results page. Just make sure that you're not just doing a straight up copy/paste job without understanding what's going on and filling in the gaps with books,videos,tutorials,etc.
Well I hope that helps you out. Now go write some crappy code and then keep massaging it until it does the thing :)
Cheers!
I think it has been patched now, just tried running this today (17th February) and windows caught it as soon as I downloaded the file from the hosted server.
That was quick. All good things come to an end I guess. Thanks for the head's up.
before metaploit what environment did u used to create that l host And l port
Hi and thanks for watching! I'm not 100% sure about what you're asking me, but I'll attempt to answer based on what I think you're asking.
So, I'm just using Metasploit to catch the reverse shell, which is just the good old "exploit/multi/handler" module.
I think what you're referring to is the spot in the video right before we jump to Metasploit (6:26 - 6:46). That is a custom app I built using Golang(SecUp.go). It attempts to automate some of the deployment of the "malicious" payloads and runs a web server.
I hope that clears things up for you.
Cheers!
Ain’t gonna work against big boy defender edr editions huge difference between win 11 defender bs and real defender….
True. That said, this was more of a learning experience for me and a simple proof-of-concept. I do plan on refining it to the point that it can take on those big boy defenders though, so wish me luck 🍀🤞😁
@@daniellowrie xoxoxo definitely worth the watch and you always bring top notch content ….
@@xoxoxo-42 I really appreciate your kind words! And thanks so much for watching 💯👍
hi, i keep getting the "this app cant run on your pc" error anytime i run the updater.exe,
any help?
I would first attempt to execute on a different target to see if the problem is with the app or the OS. I did a quick google search for "this app can't run on your pc" and it looks like this might be a common issue for folks running Windows 11. You could possibly try tweaking the code and/or changing compile options as well. I hope that helps
does not work anymore
Thanks for letting me know. I guess It just goes to show how quickly these things get signatured and that we need to constantly be updating our kit.
Can't run this exe file on windows why that..😢
So sorry to hear that! Are you getting an error?
yes sir, "this app can't run on your PC" error comes😢why that..@@daniellowrie
It needs to have a valid cert signature with a CA. You can self sign but windows doesn’t like unsigned exe’s