Defeating Windows Defender Obfuscating Open Source Tools
Vložit
- čas přidán 7. 07. 2022
- I will bypass Windows Defender in this video by obfuscating an open-source solution file and then compiling the executable. I will use invisibility cloak, defender check, and simple find and replace to show you how to get a known bad binary past Windows Defender. If you want to learn real red team bypass techniques this will show a very effective method to defeat endpoint detection and response (EDR).
Invisibility Cloak:
github.com/h4wkst3r/Invisibil...
Defender Check:
github.com/matterpreter/Defen...
Visual Studio Community Edition:
visualstudio.microsoft.com/vs...
Rubeus
github.com/GhostPack/Rubeus
FollowMe:
Twitter @BriPwn
~-~~-~~~-~~-~
Please watch: "Red Team Tips February 1st: OPSEC Safe Active Directory Enumeration with SilentHound "
• Red Team Tips February...
~-~~-~~~-~~-~ - Věda a technologie
Great work man, I appreciate what you doin’ and sharing with this awesome content
Thank you very much Sir, i learned with your Videos strong skills.
Glad to hear that
Good video, do you know if once defender is bypassed that it will remain undetected until the next signature update? Or could the behavior during runtime of a binary still pop as malicious.
Sometimes cloud detection can update these fairly quickly. It's really hard to say without an example. Once defender has been defeated move fast!
@@CyberAttackDefense Do you know if setting an ExclusionPath to the entire C:\ directory would work assuming one has physical access to the machine - or gets admin privs? Asking strictly about ExclusionPath on the entire C drive not a folder somewhere else.
I haven’t ever tried that. I’m assuming that would work.
@@gooniesfan7911 like he said, that probably works but ngl i'd recommend setting the malware up so that it puts itself in a folder like appdata or smthn like that. then excludes that folder from the antivirus which should 100% work
but making an exclusion path on the whole C drive could work aswell
There is no exe file for defender check in the git repo. How do I get the Defendercheck.exe?
You have to compile it yourself from the solution file.
@@CyberAttackDefense How can I go about it?
@@cynthiaateya794 download a recent version of visual studio code. Open the solution file like I did for rubeus and choose build as debug or release.
so basically it only obfuscates the Strings in the exe? not the whole binary?
This is how .Net works you can’t really obfuscate the whole binary. But EDR can only find things that are unobfuscated. When it comes to C you can use other methods like donut that make things much harder for EDR.
Will these technique still works?
Yes they require experimentation but still work