@gnothiseauton said:
Didn’t test it to the full extend, because there are just so many nc’s, but a while back I spend about a day a seeing what gets caught by windows defender and what not.
From what I can tell: defender doesn’t like the nc to have the -e flag (the flag that allows you to tie bash/cmd to the nc session).
So if you have a version without that flag, you’re a lot less likely to be flagged as dangerous, but you should still be able to produce a bind shell with (probably in the mean time famous) nc command that doesn’t require the -e argument.
Given those many flavors nc, makes the advice of @TazWake still very valid: from what I read, AV’s use smaller identifier a that I expected, so even though the big pattern I saw had a lot to do with that -e argument being available in the executable or not, you may still find some oddball flavor of nc that just passes the AV, even if it has the -e argument.
If you do further tests and find your conclusive answer, I’d be happy to hear about it.
Best of luck man.
Thanks for the info.