-
Notifications
You must be signed in to change notification settings - Fork 398
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Macro made with Unicorn gets and stomped by EvilClippy gets detected by Windows Defender :/ #36
Comments
AV / EDR detection avoidance is not supported by any offensive tool developers. |
What are you talking about? This tool was literally created to hide the macro. It's even mentioned in another Issue how to bypass an AV and @stanhegt himself replied. Unfortunately this didn't work for me. That's why I made another Issue. It's also discussed in the blogpost how to make in less detectable for an AV.(e.g. the -g and -u tags) |
Thanks for reaching out @gloritown. Please note that the blog post you're referring to is 1.5 years old now. In the meantime some (unfortunately not all..) AV vendors have stepped up and improved their detection against stomping. I love this and this is exactly why we publish open source offensive techniques. I agree with @yellow-starburst that it is not my role as an OSS developer to provide support on how to avoid a specific AV/EDR product with a specific macro. Nevertheless, I will repeat my general advice which I believe you already found in my feedback to another opened "issue":
Put your effort beyond just combining off-the-shelf tools and I am sure you will succeed. :-) |
Hey,
I am trying to create a stomp my macro from Unicorn with EvilClippy and based on my expectations and according to the blog, I thought most Antivirus software wont be able to identify the payload. Unfortunately Windows Defender and many others do :/. Should I use something different than Unicorn? Or maybe there are some other things I am missing out.
Thank you very much in advance!
The text was updated successfully, but these errors were encountered: