Add documentation for windows_defender_exe

2018-09-04 14:16:24 -05:00 · 2018-09-04 14:16:24 -05:00 · d0b470879b
parent a3df5bb5d9
commit d0b470879b
1 changed files with 33 additions and 0 deletions
--- a/documentation/modules/evasion/windows/windows_defender_exe.md
+++ b/documentation/modules/evasion/windows/windows_defender_exe.md
@ -0,0 +1,33 @@
+# Introduction
+
+This module allows you to generate a Windows EXE that evades against Microsoft Windows Defender.
+To achieve this, multiple techniques are used:
+
+## Shellcode encryption
+
+RC4 is used to prevent the shellcode from getting caught by static scanning.
+
+## Custom Compiler
+
+A custom compiler is also used with evasion in mind. This compiler can keep the EXE randomized,
+also harder to reverse-engineer with typical tools.
+
+## Anti-Emulation
+
+An anti-emulation technique is used to prevent the shellcode from being analyzed at run-time.
+Technically, this is taking advantage of a weakness in Windows Defender's scan engine
+(an artifact,a poor design, etc), so every once a while this part may be tweaked to keep up with
+Microsoft updates.
+
+## Traffic Encryption
+
+Some Meterpreters support encryption, such as RC4 or HTTPS. You either should consider using a
+custom payload of your own to avoid detection, or at least use one that supports encryption for
+best results.
+
+# Demonstration
+
+The following demonstrates how to generate a payload with windows_defender_exe, and successfully
+evades Windows Defender:
+
+![alt text](https://user-images.githubusercontent.com/1170914/45052465-7e6ee500-b04c-11e8-90e0-e9c59363bb45.gif)