💀
0xTriboulet
  • Introduction
  • Achieving Access
    • achieving access: implantv1
    • achieving access: implantv2
    • achieving access: implantv3
  • Deceiving Defender
    • Deceiving Defender: Making nc.exe viable again
    • Deceiving Defender: Classic Bypass
    • Deceiving Defender: Name Bypass
    • Deceiving Defender: The Texas Two Step
    • Deceiving Defender: The Big Stack Bypass
      • Making Meterpreter Viable Again
    • Deceiving Defender: Meterpreter
  • Making Malware
    • making malware #0
    • making malware #1
    • making malware #2
  • Just Malicious
    • Advanced String Obfuscation
    • From C, with inline assembly, to shellcode
    • Thnks4RWX
  • TTPs
    • TTPs: Embedding Payloads with MSFVenom (x86)
    • TTPs: Embedding Payloads with MSFVenom (x64)
    • TTPs: Rust vs C++
    • TTPs: JmpNoCall
    • TTPs: BadAsm
    • TTPs: BadStrings
  • Unholy Unhooking
    • Unholy Unhooking: byoDLL
    • Unholy Unhooking: FrByoDLL
    • Unholy Unhooking: Rusty Fart
  • Weird Windows
    • Command Hijacking with .COM
    • Non-Existent File Paths
  • ZeroTotal
    • ZeroTotal: Msfvenom Calc
    • ZeroTotal: Self-Injecting Calc
    • ZeroTotal: Rusty Calc
  • Disclaimers
Powered by GitBook
On this page
  • Part Zero: Introduction
  • Part One: Demonstration
  • Part Two: Name Bypass
  • Part Three: ????
  • Part Four: Profit
  • Part Five: Conclusion
  • References

Deceiving Defender: Name Bypass

A simple name checking technique that bypasses Windows Defender protections on Windows 11 and Windows 10

PreviousDeceiving Defender: Classic BypassNextDeceiving Defender: The Texas Two Step

Last updated 1 year ago

Part Zero: Introduction

Once again we're taking a look at bypassing Windows defender. Last time we noticed that it was possible to execute the classic self-injection methodology by simply checking a couple of features about our environment and thereby bypassing Windows Defender on Windows 10.

However, there's a couple of issues with this methodology. The standard checks we used in the last post increase the size of binary and may lead to false positives on older systems (systems with less than 4 processors or smaller that expected amounts of ram).

Thankfully, most emulation environments, including Windows Defender, execute suspect PE files under a different name inside of the emulation environment. So if we check our executable's name before executing our payload, we'll find that we can bypass Windows Defender without any other checks.

Part One: Demonstration

If we use the same code to develop implant.exe, and put it on an updated Windows 11 system we observe the following.

Part Two: Name Bypass

Let's remove some of the checks and see what happens. Instead of checking for an entire emulation environment, let's check if our name is "implant.exe"

Part Three: ????

[Intentionally Left Blank]

Part Four: Profit

We survive on Windows 10!

And we survive on Windows 11!

Part Five: Conclusion

Using the name bypass technique makes bypassing Windows Defender trivial for any Threat Actor targeting typical Windows end users. Given that estimates suggest that Windows Defender currently occupies 50% of the AV market share, it's important that users are aware of the risks associated with running binaries of unknown origin.

References

Black Hat USA 2018 - Windows Offender Reverse Engineering Windows Defender's Antivirus Emulator

SEKTOR7 Research
Page cover image
LogoRed_Team_Code_Snippets/Cpp/deceiving_defender/name_bypass at main · 0xTriboulet/Red_Team_Code_SnippetsGitHub