Getting AdaptixC2 Past Windows Defender with Beatrice.py (Opcode Substitution | YARA Hunting | SIEM Detection)
New Weekly Purple Team video covering end-to-end evasion technique, then detection on the blue side.
The tool, Beatrice, is an open-source Python script that patches compiled binaries by swapping x64 opcodes with semantically equivalent alternatives — same functionality, different bytes. It strictly matches machine code, so it doesn't break binaries by accidentally hitting strings or data.
What the video covers:
- How Beatrice.py works under the hood (opcode substitution, instruction re-encoding, what it won't help with)
- Generating an AdaptixC2 payload with IAT Hiding enabled
- Running Beatrice.py against the beacon and reviewing the patches
- Live test against Windows Defender — real-time protection on, no exclusions
- YARA-based detection via Velociraptor for hunting modified beacons in your environment
- SIEM detections for AdaptixC2 beacon activity
Worth noting: Beatrice.py won't save you from behavior-based detection, string-based signatures, or import analysis — it's a static evasion layer, not a silver bullet. AdaptixC2 with IAT Hiding is already fairly evasive, but this adds a layer of resilience against future Microsoft signature updates.
Links:
- 📺 Video: https://youtu.be/H3BdgCekrjY
- 🔗 Beatrice.py: https://github.com/raskolnikov90/Beatrice.py
- 🔗 AdaptixC2: https://github.com/Adaptix-Framework/AdaptixC2
Happy to answer questions on either the red or blue side.