DO NOT DOWNLOAD .exe binary - CONTAINS MALWARE: "Wacatac"

[GeldHades27355]

Both free Windows Defender and Microsoft Defender for Endpoint (for M365) immediately detect and block the .exe.

So it doesn't work.

[0xDeku]

Since the tool is public, security vendors are basing detections on it. This is not an issue with the tool.

[GeldHades27355]

Please explain.

1. Wacatac has been in MSFT signatures since 2022. How does that relate to this tool - which is supposedly new?
2. If this tool is designed to downdate Windows but is thwarted even by the standard/free Defender (also tested), what's the point of having the binary in the first place?
3. How does your tool match an existing, known other malware signature?

Simply put: it doesn't work.

[0xDeku]

The Wacatac classification is a mis-classification. Windows Defender detects PyInstaller executables as Wacatac sometimes, as you can see here - https://github.com/pyinstaller/pyinstaller/issues/5854

[GeldHades27355]

How does that change the fact that the binary is blocked on Windows?

[subvert0r]

How does that change the fact that the binary is blocked on Windows?

Are you new in this field? Their executable just matches with a Microsoft signature my boy.. This is a hacktool, what did you expect?

[GeldHades27355]

How utterly offensive. Is that the tone you want to set here? Really? Ok, so be it.

First of all, I'm talking about the BINARY .exe, not the source code. Just to be clear.

1. Looks like you, "my boy", and/or the team who released the binary is new to the filed - if you make a known mistake that renders the binary useless from the get-go by including software that blocks it from running on literally EVERY Windows device on the planet. 🤦
2. You're trying to prove a point - namely that you can hack Windows open again. Well it certainly won't work with the binary you provided. Just raises some concern whether you / the team know how Defender works.
3. You just proved my point. If this "hacktool" is blocked by basic Defender, it's not much of a hacktool, is it?

Here's what you COULD do: build a binary that actually runs on Windows and then post back. In the meantime, I am telling every Windows expert I know that your binary does nothing.

Because you can argue all you want: the binary doesn't work. Hence, it's worth an issue reported here - which I did. Instead of addressing it, the team chose to bury it. 🤣

Truth be told, I was actually looking forward to testing this on our secured M365 tenant's joined Windows devices to see if and what sort of damage it can do. But the only damage I can see to date is ZERO. Because you won't help folks actually repro your findings and reports.

This has been one of the most unprofessional engagements I've had with anyone in the cybersecurity biz - and that's saying a lot.

[GeldHades27355]

UPDATE:

1. Official Python Installers from https://www.python.org/downloads/release/python-3125/ work just fine. How come you're not using those?
2. Even the python source code will neither download, nor copy to nor open/execute on any Windows device tested.

As of now, this hack doesn't work - at all.

[0xDeku]

The issue you're describing is common across nearly all offensive tools globally. There are several workarounds for static detections: you can recompile with PyInstaller to generate a new executable that won't be immediately flagged, run the Python source directly with an interpreter, obfuscate the files (either the source code or the compiled binaries) and more. However, these actions are beyond the scope of this repository and are the responsibility of the user to implement if desired. This approach aligns with industry standards for tools of this nature.

If you encounter any issues with the tool's functionality, please feel free to open additional issues.