WD SmartScreen bypass + MOTW evasion + Edge/Chrome 0 alerts (W10/W11)
Today, I want to share something very easy and helpful. Some of you might already know about it, but for those who don’t, I hope you find it interesting and that it fits well in your inventory.
All tests were conducted on Windows 11 23H2/Windows 10 22H2, using the tools and techniques I am going to explain and using Cobalt Strike 4.9.1 as C2 framework. SmartScreen is not alerted if the file is extracted from the container and pasted on a directory, in example Desktop.
1.- Build a container using something like this tool: https://github.com/mgeeky/PackMyPayload
There are many GUI open source tools that can build containers that need to be mounted like mkisofs an many others.
Note: Container = .iso/.img
2.- Store your container on any of the following living on the network projects. This will provide more trust for our download domain. It not mandatory for testing purpose, but why not doing things well, right?
https://lots-project.com
3.- I work with clean payloads on static & runtime analysis I don’t know about malware detected on static.
4.- After that Edge, Chrome would not detect your payload/malware as malicious. It will be a clean download. You will notice that running the file that it’s inside the container does not have a Mark of the web mark and it does not triggers Windows SmartScreen (the payload must be run from a directory and not from inside the container, otherwise SmartScreen will give an alert/warning)
Unsigned executables .exe, can bypass google chrome alerts with that method. But Microsoft Edge will flag as malicious.
Is always better to stay away from executables, DLL are stealthier than them. I personally recommend use them + DLL sideloading.
THE NOTE This article is for informational purposes only. We do not encourage you to commit any hacking. Everything you do is your responsibility.
TOX : 340EF1DCEEC5B395B9B45963F945C00238ADDEAC87C117F64F46206911474C61981D96420B72
Telegram : @DevSecAS
More from Uncategorized
Fortinet FortiOS / FortiProxy Unauthorized RCE
CVE-2024-21762 is a buffer overflow write vulnerability in Fortinet Fortigate and FortiProxy. This vulnerability allows an unauthorized attacker to execute …
Active Directory Dumper 2
We check the architecture for strength – an attempt to cram in the unintelligible – we fasten the network resource …
Active Directory Dumper
The purpose of this article is to show the use of the principles of building an application architecture. 1.1.1 What we …