Creating a .EXE Binary that FULLY Evades Windows Defender (AGAIN!) in 2024!
ฝัง
- เผยแพร่เมื่อ 26 ก.ย. 2024
- Join the Hack Smarter community: hacksmarter.org
--- AV Evasion is a cat & mouse game. In this video, I become the mouse who evades the cat (again) by creating a .exe binary that fully evades Windows Defender and provides the attacker with a stable reverse shell. This is working as of January 5th, 2024.
Here are the resources mentioned in the video:
Powershell Script: github.com/gh0...
ps2exe: www.powershell...
THM Stealth Room: tryhackme.com/...
Happy hacking!
You are a saint sir. It is so difficult to find relevant pentesting content that is applicable to the real world and not just a lab environment. THANK YOU! As of January 14th this works, however within a few seconds of getting the shell Defender notices and kicks you out.
Edit: It's actually a bit spotty, the first time I tested it I lost the shell in a few seconds. The second time I tested - I maintained the shell for as long as I wanted. Time to see if we can get an obfuscated meterpreter shell to run in memory successfully so that we can dump the SAM.
I been researching about this topic for a while now but couldn't find anything about it, but now finally I have found this video of yours and done it and learnt it.
Love from pakistan and keep it up
Does this method still work?
@@Rmally6 yeah if u have mote idea about it plz let me know 🙂
Thanks
@@wajdaanali i didn't understand ! What do mean
Beautiful work
Nice. I have not seen your channel before but I am subbed now. This was a perfect mix of explanation and being concise.
Great Video as usual, you dont have near enough subs.
This is dope! Thanks for the great video, you just earned a new subscriber!
Great vid!!Will try this later this afternoon👍🏼
Cool video! Love your content! Would be looking forward to more interesting contents in the future! 😊😊
That is absolutely insane. Have to try it out on my home lab
Letttsssss gooooo, that was awesome.
Awesome as usual
so it's been 4 months now but it'll work as long as you dont touch the disk since defender is super stupid. i wrote a simple dropper in C over smb today (april 1st) and loaded the raw shell over straight into memory - defender is silent. didn't obfuscate the dropper executable. Not april fool's. in fact i think it could work over https too
Quite informative!!
Thank You!
I tried it. defender is able to detect it at stage 2.
Please what do you mean Av evasion ?? Veil ?? Or another thing
Lol I hate to be this guy. And I love your content. But it's such a love/hate feeling. Because we can only find so many unpatched holes in the wall before the wall is eventually sealed up tight. Lol I watch your videos and they work 100% which says a lot. And then a month later defenders onto us lol
Hello, can you teach us what to do if ever we're the victims of such tricks?
How? I created a simple ps1 file by writing [ Write-Host "Hello" $null = Read-Host ] but as soon as I convert it to an exe file, Windows Defender detects it as a virus 😅
Hahah 😂
Still work perfectly, but how tf do you escalate privileges ? I can't transfer the shell to a meterpreter, or download any file through it. I can only do basics windows commands like cd, dir, etc (while i'm 100% sure on a Powershell shell)
Would this type of stealth evade other anti-virus packages like Sophos, Eset, Bit Defender, etc?
Awesome!
my brother has laptop i maked this script in my pc same like you but when i run the exe on his laptop it did not work instant message from defender virus and thrert found
lol... First, you shouldn't be touching anyone's computer (including your brothers) without explicit permission.
Second, the moment I make an AV Evasion method public, it will no longer work because Windows Defender will pick up on it.
Third, if you cannot figure out how to bypass AV on your own - you shouldn't be messing with people's computers.
@@TylerRamsbey no i asked by brohter to test this script on his laptop and he agreed so then i tested it on his pc
@@TylerRamsbeyhow can I contact u bro
Awesome
At the moment that the victim try to download that .exe, Windows Defender is gonna tell the victim that this is a virus
Use c# bro .
@@Jamaal_Ahmed use c# in which part?
I actully worked, I tried 2nd time it failed. Not it any OS in my network. By the way Loved your concept.
README - you can literally ask chatgpt to make you a reverse shell and listener and for some reason it evades defender use pyinstaller to turn to exe if you want still evades
Can you send me more details about this please
Is this also undetectable on Windows 11? didnt try it yet
Yes
No, not a fully patched Machine. Just tested in on 21H2 and it was fine, but gets blocked on 22H2
Once again, AV Evasion techniques usually only last a few weeks until they are patched - especially when the technique is made public.
Av doesn't detect the executable because you created it, try downloading it from a web page using chrome then av will detect it easly
yep, what I figured would be the case aswell.
@@digitalcivilulydighed can we cooperate
Ur using old windows 10
Windows Defender blocked 😢
You need to obfuscate the code
Windows doesn't seem to detect netcat x64.exe, but it does detect netcat x32.exe. I don't know why this is
👏👏👏👏👏👏
@Tyler Ramsbey you said it's important for pentesters to have a Windows virtual machine. My laptop has a maximum of 8GB RAM and I am therefore running Kali Linux as the host OS. I have Windows 7, Windows 10 and Windows 11 iso files I can use. Which would you recommend I install as a virtual machine on my pentesting laptop?
10
When you execute pwsh reverse shell on memory, can AMSI detect that?
We have to disable it?
Is a way to load it in like a pdf file while still executing ps1 script?
Of course, they'd just download and run the extra file (probably from the temp folder) as well as their own code to get in.
@@WindowsDaily Oh, That's pretty cool because it would basically cover it
Well just to update everyone. Windows defender caught me the second i tried to save the .exe to my desktop. Got the notification and a few seconds later it deleted it from my desktop. Lol i find it ironic that you have a "shush" face on this video while youre actively telling the entire world. And yet again this method is now obsolete. Only took a few months.
That's how AV Evasion works -- it's a cat and mouse game. Also, I'm on the ethical side of things. I'm totally fine with Windows Defender picking up on this now. I have other methods I use for pentesting that I do not share with the public.
@@TylerRamsbey so what happens to cybersecurity when inevitably every vulnerability is patched? Seems like we ain't too far away. Everything will be secure through automated processes and then our whole industry will be legacy not just the programs. Seems like everyone was a hacker until hackers started going to jail and now everyone wants to be on the cybersecurity side. When you got a million guards in one area eventually the areas impenetrable. Then the guards are just standing around with their thumb up their ass.
How I can learn penetration testing advance like making these types of reverse shells @@TylerRamsbey
Nope. Defender caught it
please help tyler! how do I fix: 1. a parameter cannot be found that matches parameter name 'Url' 2. Exception calling 'GetString' with '1' argument(s): "Array cannot be null. Parameter name: bytes" and 3. Cannot bind argument to parameter 'Command' because it is null. Thanks
Bro use chatgpt to fix error
I have the same problem
How to do for Mac Machine ?
what about smartscreen?
What rule can one put to detect ?
Is this relevant to OSEP?
Need to show windows defenders settings. Defender has ASR that prevents downloading of scripts. Was that enabled?
Yes. Worked on this as well as my host OS which is Windows 11 Pro with everything enabled
@@TylerRamsbey With everything enabled with Intune Windows Defender this is blocked. Running the exe or copy and pasting the downloads script get "Invoke-Expression: This script contains malicious content and has been blocked by your antivirus software. " Thanks for the information. I enjoyed trying this. ASR rules with the block! Not sure if ASR available or enabled with out Intune.
Security.Microsoft reports "Suspicious sequence of exploration activities" & "An active 'PsObfus' malware in a PowerShell script was prevented from executing via AMSI"
dang downloading the stage 1 got detected aint no way google detected and windows immediate action of blue screen
AV Bypasses usually only last a few weeks or a month -- they quickly get detected when released to the public (like this one).
@@TylerRamsbey ye didn't expect to patch that fast hahahaa 😂 they sure are undefeated man I swear be going weeks straight and not be able to do it. Although what I managed to do is bypassing all anti virus application which is just impressive to me but I can't forget that I can't bypass windows
Detected by kaspersky ;)
this is so simple, anyone can do this. wow.
not working anymore
really
man I thought it was going to be actual coding, not script kiddie stuff
It gets detected
Yup, that's the cat & mouse game of AV Evasion. Usually if you find a method to evade and share it with the public, it will be patched within a few weeks.
e
That windows version looks old.
It is Windows Server because I didn't want to share my host OS on stream. That being said, it also worked on my host OS which is Windows 11. But due to the nature of AV Evasion, this is now detected by Defender.
Generally when you find an AV Bypass and release it to the public, it will only remain valid for a few weeks before it's patched.
First comment thanks bro
Thank you for the support!
patched
But doesn’t windows warn, that the file could be milicious?In the new versions windows even „flags“(not sure what exactly it does) files inside of downloads zip files(as long as you unzip it with explorer)?
Discussed this technique today in class. Tried and it worked. Thanks
Wow, that's awesome! Did the teacher use this video, or did you just stumble across while looking into the technique?
@@TylerRamsbey He suggested it. I came here watch your video and implemented it.
How can I contact u bro@@TylerRamsbey
Just curious, would an attack like this always be detected by the top AV's such as Kaspersky and BitDefender?
tried it on avira and avast premium av and it bypassed it, but kapersky and bitdefender didnt... custom coded payload will have no bad signatures so it will bypass it.