A few weeks ago, there was a post in another sub-reddit asking for any suggestions on how to get their payloads past the anti-malware scan interface and Windows defender. This problem has definitely become more challenging overtime, and has forced me to write new AMSI bypasses. My goal with this post is to give a concrete example of selecting a set of bypasses and applying tailored obfuscation to evade AV and bypass defenses.

Please let me know if you find this post helpful. Let me know if there’s anything I can do to improve!

I made a post that goes through the details and thought process behind writing a ransomware payload for training purposes. It goes over how the entire killchain works and how each component is written as well as defense evasion techniques employed throughout the process. Finally, it goes over how to automate the killchain so that it is reliable and repeatable.

This post covers the use of internal proxy techniques and some employment considerations.

SpecterInsight is a cross-platform, post-exploitation command and control framework based on .NET for red team engagements, threat emulation, and training. Distinguishing features include:

• Rich command output in JSON format
• Data augmentation on individual results
• Tight integration with ELK for data analytics
• Built-in visualizations and dashboards
• Countdown until the next callback
• Easily extendible SpecterScripts
• Integrated obfuscation and payload generation
• Clean and efficient client UI
• Cross platform components

There is also a free, indefinite evaluation license that includes the full product. Most of the SpecterScripts are open source, so it’s a good way to learn. I thought people here might find it useful.