Bypassing defender
#1
I've been working on a RDP backdoor that works -- it adds new firewall rules, creates a new RDP user, downloads a vpn software and connects thru cmd.exe, then establishes persistence by adding a program (located at HKCU:\Software\Microsoft\Windows\CurrentVersion\Run) that uses cmd to reconnect to the VPN using PS1. Only problem is that it is flagged by windows defender as a backdoor. I tried AMSITrigger, and it came back as clean.

Some questions:
How can I find out which lines are problematic?
Does there exist a virus scanner that doesn't send samples to the glowies?
Does anyone have any experience with deploying malware to the masses? I was looking at malvertising, but I assume it'll be a bitch to put together a website and get people to download + click an unsigned .exe.

Thanks
Reply Report
#2
(05-31-2023, 07:31 PM)smellyfoot47 Wrote: I've been working on a RDP backdoor that works -- it adds new firewall rules, creates a new RDP user, downloads a vpn software and connects thru cmd.exe, then establishes persistence by adding a program (located at HKCU:\Software\Microsoft\Windows\CurrentVersion\Run) that uses cmd to reconnect to the VPN using PS1. Only problem is that it is flagged by windows defender as a backdoor. I tried AMSITrigger, and it came back as clean.

Some questions:
How can I find out which lines are problematic?
Does there exist a virus scanner that doesn't send samples to the glowies?
Does anyone have any experience with deploying malware to the masses? I was looking at malvertising, but I assume it'll be a bitch to put together a website and get people to download + click an unsigned .exe.

Thanks

What defender flagged as backdoor? Is your powershell script FUD in runtime? The software installing the RDP server? Try scanning each file you use in your malware.
need more info
We are Light Hat Arsenal, we are hackers for the light.
Reply Report
#3
(05-31-2023, 07:31 PM)smellyfoot47 Wrote: I've been working on a RDP backdoor that works -- it adds new firewall rules, creates a new RDP user, downloads a vpn software and connects thru cmd.exe, then establishes persistence by adding a program (located at HKCU:\Software\Microsoft\Windows\CurrentVersion\Run) that uses cmd to reconnect to the VPN using PS1. Only problem is that it is flagged by windows defender as a backdoor. I tried AMSITrigger, and it came back as clean.

Some questions:
How can I find out which lines are problematic?
Does there exist a virus scanner that doesn't send samples to the glowies?
Does anyone have any experience with deploying malware to the masses? I was looking at malvertising, but I assume it'll be a bitch to put together a website and get people to download + click an unsigned .exe.

Thanks

did you try using chimera obfuscation for powershell?
Reply Report
#4
(05-31-2023, 07:31 PM)smellyfoot47 Wrote: I've been working on a RDP backdoor that works -- it adds new firewall rules, creates a new RDP user, downloads a vpn software and connects thru cmd.exe, then establishes persistence by adding a program (located at HKCU:\Software\Microsoft\Windows\CurrentVersion\Run) that uses cmd to reconnect to the VPN using PS1. Only problem is that it is flagged by windows defender as a backdoor. I tried AMSITrigger, and it came back as clean.

Some questions:
How can I find out which lines are problematic?
Does there exist a virus scanner that doesn't send samples to the glowies?
Does anyone have any experience with deploying malware to the masses? I was looking at malvertising, but I assume it'll be a bitch to put together a website and get people to download + click an unsigned .exe.

Thanks


Exe files = ThreatCheck.exe. Try.
Reply Report
#5
(05-31-2023, 07:31 PM)smellyfoot47 Wrote: I've been working on a RDP backdoor that works -- it adds new firewall rules, creates a new RDP user, downloads a vpn software and connects thru cmd.exe, then establishes persistence by adding a program (located at HKCU:\Software\Microsoft\Windows\CurrentVersion\Run) that uses cmd to reconnect to the VPN using PS1. Only problem is that it is flagged by windows defender as a backdoor. I tried AMSITrigger, and it came back as clean.

Some questions:
How can I find out which lines are problematic?
Does there exist a virus scanner that doesn't send samples to the glowies?
Does anyone have any experience with deploying malware to the masses? I was looking at malvertising, but I assume it'll be a bitch to put together a website and get people to download + click an unsigned .exe.

Thanks

You can try: https://antiscan.me/ and I am sure there are others.
There are a number of things you can do to pinpoint what trips what. Try slowly taking away stuff until the AV isn't triggered and go from there. Are you obfuscating your strings? Executing third-party Powershell scripts tends to ring alarm bells in a default Windows setup nowadays. Be careful with ideas such as "deploying malware to the masses", big things fall faster.
Reply Report



// $(".author_avatar img").error(function () { $(this).unbind("error").closest('.author_avatar').remove(); });