Closed 0xvm closed 4 years ago
Thanks for the heads up! Thats a nice find, I think in the first instance we will pull out the get-screenshot functions from the stage2-core.ps1 and try again. My suspicion is its the Get-ScreenshotMulti as it uses add-type which we could put into a separate function to start with
If you fancy giving that a go and doing a PR that would be very helpful, don't mind helping get it through. If not i'll have a look when I get a second.
Many thanks for the quick reply,
I submitted pull request #165 Let me know what you think, i'll be happy to review this further.
Thanks, I was also adding some of this to a separate file when you raised it before you did this PR - https://github.com/nettitude/PoshC2/pull/171. Let me know if this fixes it otherwise i'll merge your PR
Closing issue as changes have now been merged into Master with pull request #171 to resolve defender detections of core implant.
Description
Windows defender with defs. 1.321.1947.0 ( 22 Aug 2020 ) flags Stage2-Core.ps1 as malicious. This results in the Stage2-Core.ps1 functions not getting loaded ( although the implant successfully connects and communicates with the C2 server ).
The offending function appear to be "Get-Screenshot". One can either delete the offending function or modify/ obfuscate it. A rather simplistc example that evades Defender while retaining functionality is here: https://github.com/0xvm/PoshC2/commit/dc0eb345ba7137a23e94562e48b68afe3a922d09.
Execution Environment:
Implant Info
Defensive Technologies
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Stage2-Core.ps1 should be able to evade Windows Defender
Screenshots
Attach files if required
Additional context