bypass windows defender's "tedious" approach

Posted by deaguero at 2020-02-24

In my normal penetration test, once I get the administrator's permission, I often don't penetrate the intranet anymore. Because if you do that, you are likely to encounter a pile of protection software, and then not only fail to go deep, but also your own administrator rights may be affected. But one day, my infiltration journey was relatively smooth, and I soon gained the high authority of the goal, so I think it's time to go deeper. So, I opened the famous Mimi Katz. However, it is clear that Windows Defender of the operating system does not want me to use this software.

So I decided to simply test how I could bypass Windows Defender. I set up a local test environment. The operating system is windows 10. Windows defender has been updated to the latest version.

I didn't want Microsoft to detect my testing process, so I turned off cloud based protection and automatic sample submission.

基于云的保护 自动样本提交

The first step is to show that Mimi Katz will be blocked by the latest version of Windows Defender. I download and execute the Mimi Katz script from the remote server.

Uh huh? The response seems to be too quick. I checked the server where the Mimi Katz script was stored and found that no external connection attempt was received. It seems that defender checked the sensitive characters in the command and directly blocked the download action.

I'm trying to change all of the mimikatz in the above command to mimikat to see if it's still intercepted.

MimiKatz MimiKat

Seems to work! ... well... At least the file download is OK. Let's quickly change all mimikatz in the mimikatz script to mimikatz by command

MimiKatz MimiKat sed -i -e 's/Mimikatz/Mimikat/g' Invoke-Mimikat.ps1

Try again as shown above. OK, it's still unsuccessful. Here we can try to replace the sensitive characters in the mimikatz script found by previous researchers. Let's take a look at an article published by @ bhinfosecurity on January 5, 2017,, which contains many ways to replace the sensitive characters in the mimikatz script. Let's try running the results on the command line after the replacement.

OK, as I expected, it's out of date... I think defender has been completely immune to this confusion method in the past year or so... Now, we still need to find the really sensitive characters. I decided to cut the files and test them one by one to see if I could find anything.

split -l 50 Invoke-Mimikat.ps1 ./SPLIT/Mimi-

I choose to cut the file into 50, of course, you can choose the level of refinement you want. Now, let's test the split files one by one through remote transmission.

Get-MpThreatDetection | where {$_.InitialDetectionTime -gt '3/09/2019 1:48:00 PM'} | measure | % { $_.Count } Copy-Item "\\\SPLIT\" -Destination .\ -Recursive Get-MpThreatDetection | where {$_.InitialDetectionTime -gt '3/09/2019 1:48:00 PM'} | measure | % { $_.Count } Resources

Next, we can replace the seemingly "scary" variables in the script, or cut the file and test it until we get the sensitive characters to the smallest unit. For the first file, I renamed some terrible variables and successfully bypassed them, so there are only the last 1 / 50 files left.

Then repeat our previous steps to narrow down and replace sensitive characters.

Finally, we have been able to successfully bypass Windows Defender! In addition, Symantec is no exception. I have developed a simple script to implement the whole process, but more importantly, understand its principle. In a follow-up post, I'll explore automation obfuscation in more depth.

If you know better tools, please talk to me on twitter

本文由白帽汇整理并翻译,不代表白帽汇任何观点和立场 来源: