[BUG] Stage2-Core.ps1 gets flagged by Windows Defender

[0xvm]

Description

Windows defender with defs. 1.321.1947.0 ( 22 Aug 2020 ) flags Stage2-Core.ps1 as malicious. This results in the Stage2-Core.ps1 functions not getting loaded ( although the implant successfully connects and communicates with the C2 server ).

The offending function appear to be "Get-Screenshot". One can either delete the offending function or modify/ obfuscate it. A rather simplistc example that evades Defender while retaining functionality is here: https://github.com/0xvm/PoshC2/commit/dc0eb345ba7137a23e94562e48b68afe3a922d09.

Execution Environment:

All of this must be filled in Data	Value
Full Posh version (all the text between the === at the top of the Implant Handler)	=============== PoshC2 v7.0 (837846a 2020-08-20 22:12:50) ===============
OS & version	Clients: Windows 10 x64 1809 and Windows 10 x64 1910, Server: Linux KALi 5.7.0-kali1-amd64 #1 SMP Debian 5.7.6-1kali2 (2020-07-01) x86_64 GNU/Linux
Using Docker/containerisation?	Nope.

Implant Info

• What implant does the problem occur on? PowerShell ( haven't tested others ).
• How was the implant created? Running a default payload? Inject-shellcode? Custom payload? Vanilla payload as created with posh-project -> posh-config -> posh-server ( actually minor modifications have been performed in fronting and pbind options but not relevant here )

Defensive Technologies

• Is the target environment running any particular defensive products? AVs/EDRs etc? The target is running a fully updated Windows Defender as of 22 Aug 2020, definitions 1.321.1947.0

To Reproduce

Steps to reproduce the behavior:

1. Create a new posh project.
2. Start posh-server and the implant handler.
3. Execute the powershell encoded command variant on target (i.e. powershell -exec bypass -Noninteractive -windowstyle hidden -e WwBTAHkA .... [snipped]).
4. Following the initial communication with the C2 the implant attempts to load Stage2-Core.ps1, however this gets flagged by Windows Defender [refer to screenshot below].
5. Trying to execute any function listed in Stage2-Core.ps1, such as Get-Proxy, will result in an error [refer to screenshot below].

Expected behavior

Stage2-Core.ps1 should be able to evade Windows Defender

Screenshots

Attach files if required

Additional context

• The Get-ScreenshotMulti function depends on Get-Screenshot, however it does not appear to work on my setup even after modifying Get-Screenshot to evade Defender.
• The Get-ScreenshotAllWindows function does not appear to work on my setup at all.

[benpturner]

Thanks for the heads up! Thats a nice find, I think in the first instance we will pull out the get-screenshot functions from the stage2-core.ps1 and try again. My suspicion is its the Get-ScreenshotMulti as it uses add-type which we could put into a separate function to start with

[benpturner]

If you fancy giving that a go and doing a PR that would be very helpful, don't mind helping get it through. If not i'll have a look when I get a second.

[0xvm]

Many thanks for the quick reply,

I submitted pull request #165 Let me know what you think, i'll be happy to review this further.

[benpturner]

Thanks, I was also adding some of this to a separate file when you raised it before you did this PR - https://github.com/nettitude/PoshC2/pull/171. Let me know if this fixes it otherwise i'll merge your PR

[Console]

Closing issue as changes have now been merged into Master with pull request #171 to resolve defender detections of core implant.