Macro detected by windows defender.

[Viss]

Looks like the format of the macro is being picked up by windows defender.
It may be a good idea to poach the output format of empire's macro payload, since that still doesn't get detected :D

[trustedsec]

Hehe, I don't like snagging other peoples stuff.. I'll write a stub encoder for it.. Have plenty of space to play with. Should be done next couple days

[trustedsec]

Thanks for letting me know btw! Appreciate it.

Does it get snagged upon opening and enabling the macro or as soon as its downloaded?

[Viss]

windows 10, newish office install, defender pops when you try and open it.

I wager rearranging the payload and perhaps obfuscating the powershell.exe string will likely be enough, but I havent tried myself

On June 28, 2016 7:05:38 PM PDT, trustedsec notifications@github.com wrote:

Thanks for letting me know btw! Appreciate it.

Does it get snagged upon opening and enabling the macro or as soon as
its downloaded?

---

You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub:
#20 (comment)

[beethical]

Same problem here!
Today, I checked the latest Macro created via unicorn (and veil) through every available Antivirus, and some of them detected the Macro as a Trojan,even before opening the document ! :)
The screenshot below shows the results:

[trustedsec]

tested macro injection and normal ps1 - looks to get around windows defender with the update I just pushed out - let me know your experience but closing this for now. Will re-open if that differs. Thanks for the report!

[Viss]

THANK YOU SIR <3

[Viss]

I will test.