Daniel , keep up the good work

@daniellowrie

4 ай бұрын

Thanks! And thanks for watching 😀👍

Very neat ! Impressive skills you have

@daniellowrie

4 ай бұрын

Thank you very much! 😀

Pretty neat. Can you speak to what specifically gets this around Pret(Def)ender? Is it just that it doesn't understand golang so well? So all of its triggers that tell it "hey buddy, this is likely a rev shell" are likely based on vb/python/powershell/cmd?

@daniellowrie

4 ай бұрын

Great question! So some of it is golang, although a lot of malware is written using go so sometimes even a simple "hello, world!" app will get flagged as malicious. The other things that helps this work are the obfuscations and the fact that most of the "malicious" stuff is executed in memory. I didn't go crazy with the obfuscations, or with using techniques that would help it avoid behavioral detections, but I plan on continuing to refine this so that it can take on the modern EDR/XDR systems. 👍

Great stuff, thank you for sharing, and great insight as always.

@daniellowrie

4 ай бұрын

Thanks, Wayne!

interesting, good video 👍

@daniellowrie

4 ай бұрын

Thanks! I'm glad you enjoyed it 😃

I was thinking he's up early but then I remembered. I live off a totally opposite pond, anyway Happy Monday.

@daniellowrie

4 ай бұрын

Happy Monday, bro! Hope you enjoy the video 😃

Last time I saw you were using parrot os now it is Zorin OS, will you make a video on shifting from parrot to zorin

@daniellowrie

4 ай бұрын

Good eye! Technically I didn't switch. I still run Parrot, but for this script I had been building it on my Zorin workstation, so I just used remote-desktop to show the screen for the video. I do have plans to make a new video about Pentesting/security-focused distros and have discovered a new-to-me distro that has really impressed me. 😉👍

Can you elaborate more on how the tool managed to bypass the defender? does it work also against kaspersky or avast AV maybe?

@daniellowrie

4 ай бұрын

Sure thing! It bypasses Defender by utilizing a few techniques. 1) updater.exe doesn't necessarily do anything malicious. It just downloads a file from a web server. 2) since it is custom built Defender doesn't have a signature for it 3) the "malicious" payloads are never written to disk 4) one of the payloads bypasses AMSI 5) the payloads are utilizes obfuscations like string encoding and concatenation Not sure if it will bypass other AV systems, but I'd love to hear the results from you if you end up testing them 👍💯

Nice video Daniel... I tried that script 1 month ago ... I got netcat connection but i tried so many things to priv escalation or vnc connection but i didn't find any way 😢 if you can you make a video on post exploitation will be helpful 😊

@daniellowrie

4 ай бұрын

Priv esc can be fun LOL! Here's a great github repo with a ton of great Windows Priv Esc techniques, tools, and articles to help you in the mean time. github.com/emilyanncr/Windows-Post-Exploitation#privilege-escalation-guides/wiki

Hey i just saw u are doing an Av evasion course with red seige is that behind a paywall i was interested but dont knw if its free cause i saw a sign up for free option in ACI Learning platform ??

@daniellowrie

Ай бұрын

Hey @firosiam7786 That course is indeed behind the ACI Learning paywall, but is well worth the ticket price. Mike Saunders did a masterful job of explaining and demonstrating the AV-bypass techniques he uses as the Principal Security Consultant/Red Team Lead for Red Siege. Great stuff!

Watching you from ghana...much love boss

@daniellowrie

4 ай бұрын

Thanks for watching and commenting 💯👍

pretty cool

@daniellowrie

29 күн бұрын

Thanks! Glad you liked it ☺️

you are good at talking

before metaploit what environment did u used to create that l host And l port

@daniellowrie

Ай бұрын

Hi and thanks for watching! I'm not 100% sure about what you're asking me, but I'll attempt to answer based on what I think you're asking. So, I'm just using Metasploit to catch the reverse shell, which is just the good old "exploit/multi/handler" module. I think what you're referring to is the spot in the video right before we jump to Metasploit (6:26 - 6:46). That is a custom app I built using Golang(SecUp.go). It attempts to automate some of the deployment of the "malicious" payloads and runs a web server. I hope that clears things up for you. Cheers!

Is there an easy way to develop a bypass technique like this? I want to solve it myself because the update is fast. But it's hard because I'm not a great developer.

@daniellowrie

Ай бұрын

I feel your pain. I too am not a great developer and building this bypass was a bit of a struggle for me, but I loved every minute of it (well maybe not EVERY minute LOL) and I learned a lot. So, the best advice I have is, don't look for the shortcut. Don't rob yourself of the knowledge and experience that comes from struggling through a problem and learning/failing your way out of it. I'm not saying you shouldn't ask for help, but don't look for the "easy way" while you're learning. Put the time and effort into making sure you understand what it is you're trying to do and eventually you won't have to label yourself as "not a great developer" (even though you probably will any way. DAMN YOU, IMPOSTER SYNDROME!!!) All that said, feel free to check out my code and just modify it for your bypass. Looking at other's code is a great way to learn at a faster pace. I'd even suggest you lean on AI a bit. Since you're learning it can be much faster to learn how to do something using AI, then it is to scour stackoverflow or sift through a book, or hit the right link on the google results page. Just make sure that you're not just doing a straight up copy/paste job without understanding what's going on and filling in the gaps with books,videos,tutorials,etc. Well I hope that helps you out. Now go write some crappy code and then keep massaging it until it does the thing :) Cheers!

hi, i keep getting the "this app cant run on your pc" error anytime i run the updater.exe, any help?

@daniellowrie

2 ай бұрын

I would first attempt to execute on a different target to see if the problem is with the app or the OS. I did a quick google search for "this app can't run on your pc" and it looks like this might be a common issue for folks running Windows 11. You could possibly try tweaking the code and/or changing compile options as well. I hope that helps

I think it has been patched now, just tried running this today (17th February) and windows caught it as soon as I downloaded the file from the hosted server.

@daniellowrie

3 ай бұрын

That was quick. All good things come to an end I guess. Thanks for the head's up.

❤

@daniellowrie

4 ай бұрын

Thanks for the support 😀👍

Ain’t gonna work against big boy defender edr editions huge difference between win 11 defender bs and real defender….

@daniellowrie

4 ай бұрын

True. That said, this was more of a learning experience for me and a simple proof-of-concept. I do plan on refining it to the point that it can take on those big boy defenders though, so wish me luck 🍀🤞😁

@xoxoxo-42

4 ай бұрын

@@daniellowrie xoxoxo definitely worth the watch and you always bring top notch content ….

@daniellowrie

4 ай бұрын

@@xoxoxo-42 I really appreciate your kind words! And thanks so much for watching 💯👍

does not work anymore

@daniellowrie

3 ай бұрын

Thanks for letting me know. I guess It just goes to show how quickly these things get signatured and that we need to constantly be updating our kit.

Can't run this exe file on windows why that..😢

@daniellowrie

4 ай бұрын

So sorry to hear that! Are you getting an error?

@d.k.6878

4 ай бұрын

​yes sir, "this app can't run on your PC" error comes😢why that..@@daniellowrie

@minkang6841

4 ай бұрын

It needs to have a valid cert signature with a CA. You can self sign but windows doesn’t like unsigned exe’s