Deceiving Defender: Name Bypass

A simple name checking technique that bypasses Windows Defender protections on Windows 11 and Windows 10

Part Zero: Introduction

Once again we're taking a look at bypassing Windows defender. Last time we noticed that it was possible to execute the classic self-injection methodology by simply checking a couple of features about our environment and thereby bypassing Windows Defender on Windows 10.

However, there's a couple of issues with this methodology. The standard checks we used in the last post increase the size of binary and may lead to false positives on older systems (systems with less than 4 processors or smaller that expected amounts of ram).

Thankfully, most emulation environments, including Windows Defender, execute suspect PE files under a different name inside of the emulation environment. So if we check our executable's name before executing our payload, we'll find that we can bypass Windows Defender without any other checks.

Part One: Demonstration

If we use the same code to develop implant.exe, and put it on an updated Windows 11 system we observe the following.

Part Two: Name Bypass

Let's remove some of the checks and see what happens. Instead of checking for an entire emulation environment, let's check if our name is "implant.exe"

Part Three: ????

[Intentionally Left Blank]

Part Four: Profit

We survive on Windows 10!

And we survive on Windows 11!

Part Five: Conclusion

Using the name bypass technique makes bypassing Windows Defender trivial for any Threat Actor targeting typical Windows end users. Given that estimates suggest that Windows Defender currently occupies 50% of the AV market share, it's important that users are aware of the risks associated with running binaries of unknown origin.

References

Red_Team_Code_Snippets/Cpp/deceiving_defender/name_bypass at main · 0xTriboulet/Red_Team_Code_SnippetsGitHub

SEKTOR7 Researchwww.sektor7.net

Black Hat USA 2018 - Windows Offender Reverse Engineering Windows Defender's Antivirus Emulator