Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Macro made with Unicorn gets and stomped by EvilClippy gets detected by Windows Defender :/ #36

Closed
gloritown opened this issue Dec 27, 2020 · 3 comments

Comments

@gloritown
Copy link

Hey,
I am trying to create a stomp my macro from Unicorn with EvilClippy and based on my expectations and according to the blog, I thought most Antivirus software wont be able to identify the payload. Unfortunately Windows Defender and many others do :/. Should I use something different than Unicorn? Or maybe there are some other things I am missing out.

Thank you very much in advance!

@yellow-starburst
Copy link

yellow-starburst commented Dec 27, 2020

AV / EDR detection avoidance is not supported by any offensive tool developers.
Kindly close this issue.

@gloritown
Copy link
Author

What are you talking about? This tool was literally created to hide the macro. It's even mentioned in another Issue how to bypass an AV and @stanhegt himself replied. Unfortunately this didn't work for me. That's why I made another Issue. It's also discussed in the blogpost how to make in less detectable for an AV.(e.g. the -g and -u tags)

@stanhegt
Copy link
Contributor

Thanks for reaching out @gloritown. Please note that the blog post you're referring to is 1.5 years old now. In the meantime some (unfortunately not all..) AV vendors have stepped up and improved their detection against stomping. I love this and this is exactly why we publish open source offensive techniques.

I agree with @yellow-starburst that it is not my role as an OSS developer to provide support on how to avoid a specific AV/EDR product with a specific macro. Nevertheless, I will repeat my general advice which I believe you already found in my feedback to another opened "issue":

  • SRP streams can cause detection - these are artefacts that get created in a document after running a macro. Solution: either remove the SRP streams with a CFBF editor or make sure that you do not save the document after running a macro.
  • Static strings or byte sequences that remain in Pcode after VBA source code is removed may be the cause for detection. Solution: obfuscation of your macro.

Put your effort beyond just combining off-the-shelf tools and I am sure you will succeed. :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants