-
Notifications
You must be signed in to change notification settings - Fork 812
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Macro detected by windows defender. #20
Comments
Hehe, I don't like snagging other peoples stuff.. I'll write a stub encoder for it.. Have plenty of space to play with. Should be done next couple days |
Thanks for letting me know btw! Appreciate it. Does it get snagged upon opening and enabling the macro or as soon as its downloaded? |
windows 10, newish office install, defender pops when you try and open it. I wager rearranging the payload and perhaps obfuscating the powershell.exe string will likely be enough, but I havent tried myself On June 28, 2016 7:05:38 PM PDT, trustedsec notifications@github.com wrote:
|
tested macro injection and normal ps1 - looks to get around windows defender with the update I just pushed out - let me know your experience but closing this for now. Will re-open if that differs. Thanks for the report! |
THANK YOU SIR <3 |
I will test. |
Looks like the format of the macro is being picked up by windows defender.
It may be a good idea to poach the output format of empire's macro payload, since that still doesn't get detected :D
The text was updated successfully, but these errors were encountered: