Windows Defender is enabled by default in all modern versions of Windows making it an important mitigation for defenders and a potential target for attackers. While Defender has significantly improved in recent years it still relies on age-old AV techniques that are often trivial to bypass.
In this post we’ll explain what we have done to bypass Microsoft ATP Defender.
Before diving into Windows Defender we want to quickly introduce the main analysis methods used by most modern AV engines:
Static Analysis – Involves scanning the contents of a file on disk and will primarily rely on a set of known bad signatures. While this is effective against known malware, static signatures are often easy to bypass meaning new malware is missed. A newer variation of this technique is machine learning based file classification which essentially compares static features against known good and bad profiles to detect anomalous files.
Process Memory/Runtime Analysis – Similar to the static analysis except running process memory is analyzed instead of files on disk. This can be more challenging for attackers as it can be harder to obfuscate code in memory as its executing and off the shelf payloads are easily detected.
It’s also worth mentioning how scans can be triggered:
File Read/Write – Whenever a new file is created or modified this can potentially trigger the AV and cause it to initiate a scan of the file.
Periodic – AV will periodically scan systems, daily or weekly scans are common and this can involve all or just a subset of the files on the system. This concept also applies to scanning the memory of running processes.
Suspicious Behaviour – AV will often monitor for suspicious behaviour (usually API calls) and use this to trigger a scan, again this could be of local files or process memory.
What we have done to bypass Windows Defender
Do you want to allow this program to make changes to your computer? Or, with an other word, do you want to be hacked?
We gave a gun to you and you killed yourself.
You have disabled Windows Defender and installed the malware on your computer with the administrator authority you have given over a single payload.
This payload working after even restarting computer and Windows user don't know anything about this attack.
We use this technique at our Red Team Operations very often.
Proof of Concept Steps:
1. We wrote a malicious bat file.
2. When bat file run as Administrator, payload disables Windows Defender.
3. This malicious payload has trojan for get reverse shell connect from victim to attacker.
4. Bat file injects trojan to Windows Startup programs.
5. When restart the Windows Machine, trojan still working without any protections.
6. If you scan computer with Windows Defender, it does not detect any malicious file or operations.