Closed GeldHades27355 closed 1 month ago
Since the tool is public, security vendors are basing detections on it. This is not an issue with the tool.
Please explain.
Simply put: it doesn't work.
The Wacatac classification is a mis-classification. Windows Defender detects PyInstaller executables as Wacatac sometimes, as you can see here - https://github.com/pyinstaller/pyinstaller/issues/5854
How does that change the fact that the binary is blocked on Windows?
How does that change the fact that the binary is blocked on Windows?
Are you new in this field? Their executable just matches with a Microsoft signature my boy.. This is a hacktool, what did you expect?
How utterly offensive. Is that the tone you want to set here? Really? Ok, so be it.
First of all, I'm talking about the BINARY .exe, not the source code. Just to be clear.
Here's what you COULD do: build a binary that actually runs on Windows and then post back. In the meantime, I am telling every Windows expert I know that your binary does nothing.
Because you can argue all you want: the binary doesn't work. Hence, it's worth an issue reported here - which I did. Instead of addressing it, the team chose to bury it. 🤣
Truth be told, I was actually looking forward to testing this on our secured M365 tenant's joined Windows devices to see if and what sort of damage it can do. But the only damage I can see to date is ZERO. Because you won't help folks actually repro your findings and reports.
This has been one of the most unprofessional engagements I've had with anyone in the cybersecurity biz - and that's saying a lot.
UPDATE:
As of now, this hack doesn't work - at all.
The issue you're describing is common across nearly all offensive tools globally. There are several workarounds for static detections: you can recompile with PyInstaller to generate a new executable that won't be immediately flagged, run the Python source directly with an interpreter, obfuscate the files (either the source code or the compiled binaries) and more. However, these actions are beyond the scope of this repository and are the responsibility of the user to implement if desired. This approach aligns with industry standards for tools of this nature.
If you encounter any issues with the tool's functionality, please feel free to open additional issues.
Both free Windows Defender and Microsoft Defender for Endpoint (for M365) immediately detect and block the .exe.
So it doesn't work.