Suck it, Windows Defender.

When Invoke-Obfuscation came out in late 2016, I, and I’m sure many other pentesters, rejoiced at the fact that our commands bypassed AV like it wasn’t even there. Empire payload? Easy. Privilege escalation Powershell scripts? Not a problem.

In 2016, Windows Defender was but an annoying feature in Windows that would just catch Cain & Abel. Fast forward two years and the introduction of Window’s Anti-Malware Scan Interface (AMSI) and suddenly it’s one of the best, if not the best AV on the market. When I created ADAPE, AV didn’t do anything about it. Kaspersky, McAfee, AMP, Windows Defender, etc. were all bypassed because everything was encoded using Invoke-Obfuscation. Within two months of publishing that script, Defender now hates it. I tried encoding the commands and scripts in different ways, but it still caught it. I didn’t have a clue on how to bypass this damn basic AV solution that was built into every modern PC.

Recently, on an engagement, I had Empire set up, and used CrackMapExec to execute the Powershell payload on a target. Of course, it was blocked by Defender. No worries, CME supports Invoke-Obfuscation now and even has it built in with the –obfs switch. Surely it would work now, right?

Wrong. Defender even caught that. Game on. By default, Empire spits out a base64 encoded payload that looks like this when decoded.

ps1

So I would historically encode it via Invoke-Obfuscation.

obfs1

And it would work. Until recently.

obfs2.PNG

Ok, fair enough. I only encoded it once and reversed it, let’s try encoding it a bit better.

obfs3.PNG

obfs4

Really?

Ok, let’s try special characters.

spc1

spc2.PNG

safsa.PNG

2.PNG

So, it’s clear Defender has caught on and now there needs to be a new method to the madness. Luckily, I found something out: Why bypass AV when you can just turn it off? Yeah, they might have alerts set to ring when Defender is turned off, but at this point the engagement is dead if I can’t get by, so I’m willing to take that chance.

Turning off Defender is pretty easy. It’s actually one line of PS.

Set-MpPreference -DisableRealtimeMonitoring $true

However, the catch is you need to have administrative privileges.

block.PNG


Last year, byt3bl33d3r published a new, awesome, C2 framework called SILENTTRINITY. ST utilizes IronPython and C# to execute it’s modules and beacon. By default, when installing the .NET framework, it installs a tool called msbuild.exe. This executable builds C# code from an XML file, so if that XML file contains a payload, it’s going to build it and you have a session on the target. It also can build over SMB paths, meaning you don’t have to drop anything to disk (technically it does drop to disk temporarily).

Utilizing it CME:

cme

Once I have a session open, I then use the ipy/shell module to run the command to disable Defender

st.PNG

av.PNG

This really is a testament to how good Windows Defender & AMSI are now and how far build in AV has come. Of course this is a bit noisy, so for red team engagements this might not be the best solution as much as it is a last resort. In addition, instead of turning it all the way off, it’s possible to just exclude a folder from AMSI which you’d then work out of.

5 thoughts on “Suck it, Windows Defender.

  1. Instead of disabling Defender, we can rollback defintions with mpcmrun.exe and even remove all the definitions.

  2. Hi 2killdms, as you are suggesting, we need first to elevate privileges. In my case, as victim I am working with a Wind10 Build 1809 with Defender up to date (18th March 2019).

    To run commands with elevated privileges with SILENTTRINITY, I am using the module ipy/shell. Once there I set the Command as follows:

    set Command “powershell function Disable-ExecutionPolicy {($ctx = $executioncontext.gettype().getfield(‘_context’,’nonpublic,instance’).getvalue( $executioncontext)).gettype().getfield(‘_authorizationManager’,’nonpublic,instance’).setvalue($ctx, (new-object System.Management.Automation.AuthorizationManager ‘Microsoft.PowerShell’))} Disable-ExecutionPolicy; Import-Module C:\Users\User1\Desktop\Invoke-WSResetBypass.ps1; Invoke-WSResetBypass -Command ‘cmd.exe /c start powershell Set-MpPreference -DisableRealtimeMonitoring $true'”

    Remember to replace the .ps1 script’s path appropriately for your tests.

    For your reference, the Invoke-WSResetBypass.ps1 script can be found in ActiveCyberus. As it cannot be executed in PS as non-privileged user with Execution Policy Restricted, you also have to bypass that restriction with the previous powershell function Disable-ExecutionPolicy.

    The execution takes a lot of time. Around 10 minutes in some cases.
    If you are going to use ADAPE too, you will have to fix it first (last single quote and curly bracket are missing), and you will also need to disable the firewall (Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False).

    N.B.: Defender AV detects my first attempt, but the second is not detected nor stopped (using msbuild as stager).
    N.B.: I am not using the ipy/powershell module because it does not work properly (exception) for unknown reasons.
    N.B.: It would be recommendable to Set-ExecutionPolicy Unrestricted -Force from the beginning.

    It is my first contact with the tool, so maybe you find easier mechanisms. Let us know if that is the case.
    Cheers!

  3. Sorry but my question here is, if you are a low-level user how can you disable this as it seems that you provided a username and password onto cme, how would we get the same result with a low-privilege user? Would we need to escalate first and then proceed to disable Windows Defender, sorry if its a dumb question just curious.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s