Windows defender detection

[FZKiritsugu]

Trojan:MSIL/AgentTesla.JMX!MTB

amsi: \Device\HarddiskVolume2\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

mshtA "JAvascRIPt:close(new ActiveXObject('WSc'+'riPT'+'.ShE'+'ll').run('pOwE'+'rSH'+'ELl \"[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey(\\\"SOFTwArE\\\").GetValue($null)).EntryPoint.Invoke(0,$nuLL)\"',0))"

windows defender won't run it, is there any alternative? you have a lot of less options trying to run fileless..

[bytecode77]

I see that you're trying to evade signatures, which is the right way. AMSI means that powershell will send the command to the AV scanner, which will then analyze it - based on signatures only. Since you can't patch amsi.dll in 260 chars of code, you need to modify the commandline and figure out which part of the string is triggering Defender.

You can do that by opening powershell and pasting only parts of the commandline until you find out what is offending Windows Defender. Then you can do specific modifications to avoid that particular signature.

This might be tricky... Only thing to keep in mind: Any code snipet that you can read for free online will already have a signature. You need to write something yourself and not publish it online.

[FZKiritsugu]

thank you for your detailed explaination, the part of the string that is triggering windows defender could be anything? for example [Reflection.Assembly] or ActiveXObject? because then that'd be hard to modify without creating an entire different command that is also less than 260 characters as you mentioned.

the only way i could think of (within 260 characters) is using powershell IEX, but it requires internet connection plus it's probably the most used one so it'd be harder to evade av

[bytecode77]

Yes, it can be something as trivial as EntryPoint.Invoke. You could try to enter the commandline in Powershell and write something like EnXXX.XXXoke instead of EntryPoint.Invoke and execute it to test whether that is triggering AV.

I don't have a solution to fix this - usually it takes some days to change the Powershell commandline to evade AV's. So be patient, think outside the box and just try it out ;)

[FZKiritsugu]

Thank you!, i mostly just made all available letters randomly upper and lowercase, hopefully that alone bypasses windows defender

[bytecode77]

Afaik, AMSI is case insensitive, but it doesn't hurt to randomize casing. Maybe some AV will fall even for that.

The real burden is that you need to adjust the powershell commandline until it is no longer detected, which is very time consuming and in some cases you can't really remove cruicual parts of the code. Trial and error is your friend here, and finding a way around using whatever gets detected.

Of course, when you distribute your binary, it will eventually get detected again and you need to repeat the whole process. This is the main reason why I do not fix such detection issues.

Well, good luck then ;)

[FZKiritsugu]

oh, well it is what it is, it's just a bit hard to change and find a command that is less than 260 characters.. Thank you for all the information you've given me!