[BUG] Stage2-Core.ps1 gets flagged by Windows Defender
0xvm opened this issue · comments
Description
Windows defender with defs. 1.321.1947.0 ( 22 Aug 2020 ) flags Stage2-Core.ps1 as malicious.
This results in the Stage2-Core.ps1 functions not getting loaded ( although the implant successfully connects and communicates with the C2 server ).
The offending function appear to be "Get-Screenshot". One can either delete the offending function or modify/ obfuscate it. A rather simplistc example that evades Defender while retaining functionality is here: 0xvm@dc0eb34.
Execution Environment:
All of this must be filled in
Data | Value |
---|---|
Full Posh version (all the text between the === at the top of the Implant Handler) | =============== PoshC2 v7.0 (837846a 2020-08-20 22:12:50) =============== |
OS & version | Clients: Windows 10 x64 1809 and Windows 10 x64 1910, Server: Linux KALi 5.7.0-kali1-amd64 #1 SMP Debian 5.7.6-1kali2 (2020-07-01) x86_64 GNU/Linux |
Using Docker/containerisation? | Nope. |
Implant Info
- What implant does the problem occur on? PowerShell ( haven't tested others ).
- How was the implant created? Running a default payload? Inject-shellcode? Custom payload? Vanilla payload as created with posh-project -> posh-config -> posh-server ( actually minor modifications have been performed in fronting and pbind options but not relevant here )
Defensive Technologies
- Is the target environment running any particular defensive products? AVs/EDRs etc? The target is running a fully updated Windows Defender as of 22 Aug 2020, definitions 1.321.1947.0
To Reproduce
Steps to reproduce the behavior:
- Create a new posh project.
- Start posh-server and the implant handler.
- Execute the powershell encoded command variant on target (i.e. powershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHkA .... [snipped]).
- Following the initial communication with the C2 the implant attempts to load Stage2-Core.ps1, however this gets flagged by Windows Defender [refer to screenshot below].
- Trying to execute any function listed in Stage2-Core.ps1, such as Get-Proxy, will result in an error [refer to screenshot below].
Expected behavior
Stage2-Core.ps1 should be able to evade Windows Defender
Screenshots
Attach files if required
Additional context
- The Get-ScreenshotMulti function depends on Get-Screenshot, however it does not appear to work on my setup even after modifying Get-Screenshot to evade Defender.
- The Get-ScreenshotAllWindows function does not appear to work on my setup at all.
Thanks for the heads up! Thats a nice find, I think in the first instance we will pull out the get-screenshot functions from the stage2-core.ps1 and try again. My suspicion is its the Get-ScreenshotMulti as it uses add-type which we could put into a separate function to start with
If you fancy giving that a go and doing a PR that would be very helpful, don't mind helping get it through. If not i'll have a look when I get a second.
Many thanks for the quick reply,
I submitted pull request #165
Let me know what you think, i'll be happy to review this further.
Thanks, I was also adding some of this to a separate file when you raised it before you did this PR - #171. Let me know if this fixes it otherwise i'll merge your PR