Windows Defender Bypass

Interacting with MS Defender Module

# List commands
Get-Command -Module Defender

# Defender status
Get-MpComputerStatus

# History of detections
Get-MpThreat

# Details of Threat
Get-MpThreatDetection -ThreatID <ID>

# Enable/disable defender
Set-MpPreference -DisableRealTimeMonitoring $true

Defender's Database Decompression

• A reverse engineering script developed by Matt Graeber that decompresses Windows Defender Antivirus signatures. ExpandDefenderSig.ps1

Import-Module C:\Tools\ExpandDefenderSig\ExpandDefenderSig.ps1

ls "C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{50326593-AC5A-4EB5-A3F0-047A75D1470C}\mpavbase.vdm" | Expand-DefenderAVSignatureDB -OutputFileName mpavbase.raw

To clear the protection history log, simply delete all files in the following folder: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service

Static Analysis Bypass

• This method involves checking file hashes, byte patterns, and strings against a database of known malicious values.

• We can try XOR encryption but it still gets detected.

• Try AES encryption, it will bypass the static analysis.

• Check which part of code is detected by using ThreatCheck.

• Write the code in another way.

Dynamic Analysis Bypass

• Below are three methods to bypass dynamic analysis:

  • Understand the shellcode of your c2 and obfuscate it.

  • Use less known shellcode generator.

  • Writing custom tools.