Closed VakarisZ closed 3 years ago
acepace
commented
3 years ago Do not include exploiter PY files into the installer (they are unused anyway)
This happens just because of some cross requirements, but we can actually remove all the python files.
Change obfuscation techniques and apply to all payloads.
Of the python files? On the agent side, no need because we don't see AVs parsing PYC files. (which is whats deployed IIRC) On the installer, we can just remove the PY files.
VakarisZ
commented
3 years ago I'm not that confident in removing "all python files".
Of the python files?
Of payloads in exploiters. I presume that's why, when binaries are built, they get blocked. Maybe some kind of polymorphism would help to avoid this situation in the future?
On the agent side, no need because we don't see AVs parsing PYC files.
py file got flagged. How did they flag it if payload is already obfuscated?
acepace
commented
3 years ago TL;Dr note that the defender report is on the Island, which has the source files in plain format.
VakarisZ
commented
3 years ago Yes, but it also blocked and removed windows-32 agent binary.
Describe the bug
Windows defender blocks Infection Monkey:
To Reproduce
Steps to reproduce the behavior:
Expected behavior
We should improve our payload obfuscation mechanism, because it's not the first time it happened: #801 Possible solutions: Change obfuscation techniques and apply to all payloads. Do not include exploiter PY files into the installer (they are unused anyway) Rename files not to include the name of the actual vuln?