Creating a .EXE Binary that FULLY Evades Windows Defender (AGAIN!) in 2024!

You are a saint sir. It is so difficult to find relevant pentesting content that is applicable to the real world and not just a lab environment. THANK YOU! As of January 14th this works, however within a few seconds of getting the shell Defender notices and kicks you out.
Edit: It's actually a bit spotty, the first time I tested it I lost the shell in a few seconds. The second time I tested - I maintained the shell for as long as I wanted. Time to see if we can get an obfuscated meterpreter shell to run in memory successfully so that we can dump the SAM.

I been researching about this topic for a while now but couldn't find anything about it, but now finally I have found this video of yours and done it and learnt it.
Love from pakistan and keep it up

Beautiful work

Nice. I have not seen your channel before but I am subbed now. This was a perfect mix of explanation and being concise.

Great Video as usual, you dont have near enough subs.

This is dope! Thanks for the great video, you just earned a new subscriber!

Great vid!!Will try this later this afternoon👍🏼

Cool video! Love your content! Would be looking forward to more interesting contents in the future! 😊😊

That is absolutely insane. Have to try it out on my home lab

Letttsssss gooooo, that was awesome.

Awesome as usual

so it's been 4 months now but it'll work as long as you dont touch the disk since defender is super stupid. i wrote a simple dropper in C over smb today (april 1st) and loaded the raw shell over straight into memory - defender is silent. didn't obfuscate the dropper executable. Not april fool's. in fact i think it could work over https too

Quite informative!!

Thank You!

I tried it. defender is able to detect it at stage 2.

Please what do you mean Av evasion ?? Veil ?? Or another thing

Lol I hate to be this guy. And I love your content. But it's such a love/hate feeling. Because we can only find so many unpatched holes in the wall before the wall is eventually sealed up tight. Lol I watch your videos and they work 100% which says a lot. And then a month later defenders onto us lol

Hello, can you teach us what to do if ever we're the victims of such tricks?

How? I created a simple ps1 file by writing [ Write-Host "Hello" $null = Read-Host ] but as soon as I convert it to an exe file, Windows Defender detects it as a virus 😅

Still work perfectly, but how tf do you escalate privileges ? I can't transfer the shell to a meterpreter, or download any file through it. I can only do basics windows commands like cd, dir, etc (while i'm 100% sure on a Powershell shell)

Would this type of stealth evade other anti-virus packages like Sophos, Eset, Bit Defender, etc?

Awesome!

my brother has laptop i maked this script in my pc same like you but when i run the exe on his laptop it did not work instant message from defender virus and thrert found

Awesome

At the moment that the victim try to download that .exe, Windows Defender is gonna tell the victim that this is a virus

I actully worked, I tried 2nd time it failed. Not it any OS in my network. By the way Loved your concept.

README - you can literally ask chatgpt to make you a reverse shell and listener and for some reason it evades defender use pyinstaller to turn to exe if you want still evades

Is this also undetectable on Windows 11? didnt try it yet

Av doesn't detect the executable because you created it, try downloading it from a web page using chrome then av will detect it easly

Ur using old windows 10

Windows Defender blocked 😢

Windows doesn't seem to detect netcat x64.exe, but it does detect netcat x32.exe. I don't know why this is

👏👏👏👏👏👏

@Tyler Ramsbey you said it's important for pentesters to have a Windows virtual machine. My laptop has a maximum of 8GB RAM and I am therefore running Kali Linux as the host OS. I have Windows 7, Windows 10 and Windows 11 iso files I can use. Which would you recommend I install as a virtual machine on my pentesting laptop?

When you execute pwsh reverse shell on memory, can AMSI detect that?
We have to disable it?

Is a way to load it in like a pdf file while still executing ps1 script?

Well just to update everyone. Windows defender caught me the second i tried to save the .exe to my desktop. Got the notification and a few seconds later it deleted it from my desktop. Lol i find it ironic that you have a "shush" face on this video while youre actively telling the entire world. And yet again this method is now obsolete. Only took a few months.

Nope. Defender caught it

please help tyler! how do I fix: 1. a parameter cannot be found that matches parameter name 'Url' 2. Exception calling 'GetString' with '1' argument(s): "Array cannot be null. Parameter name: bytes" and 3. Cannot bind argument to parameter 'Command' because it is null. Thanks

How to do for Mac Machine ?

what about smartscreen?

What rule can one put to detect ?

Is this relevant to OSEP?

Need to show windows defenders settings. Defender has ASR that prevents downloading of scripts. Was that enabled?

dang downloading the stage 1 got detected aint no way google detected and windows immediate action of blue screen

Detected by kaspersky ;)

this is so simple, anyone can do this. wow.

not working anymore

man I thought it was going to be actual coding, not script kiddie stuff

It gets detected

e

That windows version looks old.

First comment thanks bro

patched

But doesn’t windows warn, that the file could be milicious?In the new versions windows even „flags“(not sure what exactly it does) files inside of downloads zip files(as long as you unzip it with explorer)?

Discussed this technique today in class. Tried and it worked. Thanks

Just curious, would an attack like this always be detected by the top AV's such as Kaspersky and BitDefender?