Advice Request Windows Defender disabled by malware

Please provide comments and solutions that are helpful to the author of this topic.

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
So MOTW only matters in the step 6?

View attachment 257650
No. Normally the files without MOTW and not executed are checked only by offline Defender features. When the file has got MOTW or has been executed (and recognized as suspicious), it is checked against the cloud backend.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Microsoft recomends the below settings for the "Block at first sight" feature:
  • Cloud-delivered protection: Enabled (required)
  • File Blocking Level: High (recommended)
  • Time extension for file scanning by the cloud: 50 (recommended)
  • Prompt users before sample submission: Send all data without prompting (recommended)
The last three settings do matter for files unknown in the Microsoft cloud. The lower settings can lower the detection.
 

wat0114

Level 11
Verified
Top Poster
Well-known
Apr 5, 2021
549
Microsoft recomends the below settings for the "Block at first sight" feature:
  • Cloud-delivered protection: Enabled (required)
  • File Blocking Level: High (recommended)
  • Time extension for file scanning by the cloud: 50 (recommended)
  • Prompt users before sample submission: Send all data without prompting (recommended)
The last three settings do matter for files unknown in the Microsoft cloud. The lower settings can lower the detection.

Thank you Andy for all your efforts. Much appreciated!
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Defender is still learning. I can see two new detections that now block the attack (POC worked well yesterday):
Trojan:Win32/Hynamer.A!ml
Trojan:Win32/MereTam.A
I did no submit the POC to Microsoft, so it is based on Defender's ML.
The first detection (behavior-based) is somehow related to my UAC bypass, but I am not sure if it can fully stop it. We will see after some testing.:)
Today, one variant of the POC has been blocked (for the first time) by the Defender ASR rule "Use advanced protection against ransomware" - not blocked on Defender's default settings. Of course, all variants with UAC bypass were also blocked from the beginning by the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria".

Edit.
This anti-ransomware ASR rule blocks my UAC bypass (nice job Defender).:)
So, it must be modified again to bypass also ASR.
 
Last edited:

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Have you noticed that the Windows Defender Browser Protection extension doesn't get updated since june 2020, and it says "currently supported regions: United States"?
It does work outside of the US. The extension uses the cloud (in the background) for updates/checks, and it doesn't require constant extension updates to "make it effective".

If using Microsoft Edge:

Turn off SmartScreen in Edge settings
1620939962852.png


For other Chromium-based browsers:

Install Microsoft Defender Browser Protection
1620940007240.png


Visit test site: Microsoft Defender Browser Protection

The results are the exactly the same as Edge with built-in SmartScreen enabled.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Some bypasses are blocked by Defender (mostly from point 4), but the rest works (I did not test DLL hijacking).
All bypasses performed via PowerShell in this article are blocked when using PowerShell in Constrained Language Mode.
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
Some bypasses are blocked by Defender (mostly from point 4), but the rest works (I did not test DLL hijacking).
All bypasses performed via PowerShell in this article are blocked when using PowerShell in Constrained Language Mode.
How to do it though, when I tried this command, it no longer works.
Code:
%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe "Set-ExecutionPolicy bypass - noprofile"
I also apply this:
Code:
reg add "HKLM\Software\Microsoft\PowerShell\1\ShellIds\ScriptedDiagnostics" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f
reg add "HKLM\Software\WOW6432Node\Microsoft\PowerShell\1\ShellIds\ScriptedDiagnostics" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f
reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d "0" /f
reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Environment" /v "__PSLockDownPolicy" /t REG_SZ /d "4" /f
 
  • Like
Reactions: Nevi and harlan4096

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
How to do it though, when I tried this command, it no longer works.
I did it as follows:
  1. Run PowerShell console and execute the command:
    Invoke-MimiKatz
  2. The command should trigger the red alert:
    "This script contains malicious content and has been blocked by your antivirus software."
    This is a sign that AMSI works.
  3. Copy/paste the content of any script with AMSI bypass to the PowerShell console and try to execute it. You will see the red alert related to Constrained Language Mode:
    "Cannot invoke method. Method invocation is supported only on core types in this language mode."
  4. If you see the alert from point 2 instead, then it is a sign that the code from AMSI bypass was detected by Defender. If you will disable the Defender real-time protection, then you will see the alert from the point 3.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Here is an example of rare malware that was not created directly for profit but was intended to destroy the victims' systems (Iranian trains). The attack was directed against the Iranian government.

The attackers managed to obtain high privileges on the victim's domain server, placed there a batch file (setup.bat), and created a task scheduler by Group Policy to execute this file. The original article about this attack can be found on the Padvish Malware Threats Database (Iranian AV):

1627594205383.png

https://threats.amnpardaz.com/malware/trojan-win32-breakwin/
https://labs.sentinelone.com/meteor...per-paralyzes-iranian-trains-with-epic-troll/
https://malwaretips.com/threads/new...alware-used-in-iranian-railway-attack.109331/

On this infection stage, the attackers could disable Defender, but they choose another way:
  • Disabled network and logged off from Active Directory.
  • Added Windows Defender exclusions to prevent the malware from being detected.
These actions were possible due to remote management with high privileges which is an important infection vector in organizations and does not occur in the Home environment.
It is worth mentioning that the attackers invalidated Defender after compromising the server, so the network was already seriously compromised (probably via lateral movement).
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Today, one variant of the POC has been blocked (for the first time) by the Defender ASR rule "Use advanced protection against ransomware" - not blocked on Defender's default settings. Of course, all variants with UAC bypass were also blocked from the beginning by the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria".

Edit.
This anti-ransomware ASR rule blocks my UAC bypass (nice job Defender).:)
So, it must be modified again to bypass also ASR.

Finally, the author of Defender Control removed the CmdLine support. So, the new version of Defender Control cannot be used in my POC (or similar attack) to silently disable Defender on default settings (UAC bypassed) and infect the computer with any (even very old malware).
This is good news because, in my opinion, the response of Microsoft to this threat was not sufficient, even after submitting the POCs several times.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top