How do I run a socket-based rshell process in a session?

t3l3machus / Villain

Villain is a high level stage 0/1 C2 framework that can handle multiple TCP socket & HoaxShell-based reverse shells, enhance their functionality with additional features (commands, utilities) and share them among connected sibling servers (Villain instances running on different machines).

Other

3.64k stars 590 forks source link

How do I run a socket-based rshell process in a session? #119

Closed EndCod3r closed 1 year ago

EndCod3r commented 1 year ago

I'm wondering how to run a socket-based rshell process on a Windows 11 computer. The reason it says this is because I'm using the payload windows/hoaxshell/cmd_curl as it's the only that works for me and passes Windows Defender.

t3l3machus commented 1 year ago

Yeah the cmd curl does not trigger AMSI, that's why it's a bit tricky to detect. For the powershell reverse shells you would have to apply obfuscation. I've created repositories and videos about how to do that: Check this repo out -> https://github.com/t3l3machus/PowerShell-Obfuscation-Bible How to create custom templates with Villain and evade AV detection -> https://youtu.be/grSBdZdUya0