Q&A Windows Defender disabled by malware

Andy Ful

Level 69
Verified
Trusted
Content Creator
Dec 23, 2014
5,876
Microsoft recomends the below settings for the "Block at first sight" feature:
  • Cloud-delivered protection: Enabled (required)
  • File Blocking Level: High (recommended)
  • Time extension for file scanning by the cloud: 50 (recommended)
  • Prompt users before sample submission: Send all data without prompting (recommended)
The last three settings do matter for files unknown in the Microsoft cloud. The lower settings can lower the detection.
 

wat0114

Level 2
Apr 5, 2021
84
Microsoft recomends the below settings for the "Block at first sight" feature:
  • Cloud-delivered protection: Enabled (required)
  • File Blocking Level: High (recommended)
  • Time extension for file scanning by the cloud: 50 (recommended)
  • Prompt users before sample submission: Send all data without prompting (recommended)
The last three settings do matter for files unknown in the Microsoft cloud. The lower settings can lower the detection.

Thank you Andy for all your efforts. Much appreciated!
 

Andy Ful

Level 69
Verified
Trusted
Content Creator
Dec 23, 2014
5,876
Defender is still learning. I can see two new detections that now block the attack (POC worked well yesterday):
Trojan:Win32/Hynamer.A!ml
Trojan:Win32/MereTam.A
I did no submit the POC to Microsoft, so it is based on Defender's ML.
The first detection (behavior-based) is somehow related to my UAC bypass, but I am not sure if it can fully stop it. We will see after some testing.:)
Today, one variant of the POC has been blocked (for the first time) by the Defender ASR rule "Use advanced protection against ransomware" - not blocked on Defender's default settings. Of course, all variants with UAC bypass were also blocked from the beginning by the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria".

Edit.
This anti-ransomware ASR rule blocks my UAC bypass (nice job Defender).:)
So, it must be modified again to bypass also ASR.
 
Last edited:

Spawn

Administrator
Verified
Staff member
Jan 8, 2011
21,141
Have you noticed that the Windows Defender Browser Protection extension doesn't get updated since june 2020, and it says "currently supported regions: United States"?
It does work outside of the US. The extension uses the cloud (in the background) for updates/checks, and it doesn't require constant extension updates to "make it effective".

If using Microsoft Edge:

Turn off SmartScreen in Edge settings
1620939962852.png


For other Chromium-based browsers:

Install Microsoft Defender Browser Protection
1620940007240.png


Visit test site: Microsoft Defender Browser Protection

The results are the exactly the same as Edge with built-in SmartScreen enabled.
 

Andy Ful

Level 69
Verified
Trusted
Content Creator
Dec 23, 2014
5,876
Some bypasses are blocked by Defender (mostly from point 4), but the rest works (I did not test DLL hijacking).
All bypasses performed via PowerShell in this article are blocked when using PowerShell in Constrained Language Mode.
 

TairikuOkami

Level 31
Verified
Content Creator
May 13, 2017
2,078
Some bypasses are blocked by Defender (mostly from point 4), but the rest works (I did not test DLL hijacking).
All bypasses performed via PowerShell in this article are blocked when using PowerShell in Constrained Language Mode.
How to do it though, when I tried this command, it no longer works.
Code:
%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe "Set-ExecutionPolicy bypass - noprofile"
I also apply this:
Code:
reg add "HKLM\Software\Microsoft\PowerShell\1\ShellIds\ScriptedDiagnostics" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f
reg add "HKLM\Software\WOW6432Node\Microsoft\PowerShell\1\ShellIds\ScriptedDiagnostics" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f
reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d "0" /f
reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Environment" /v "__PSLockDownPolicy" /t REG_SZ /d "4" /f
 
  • Like
Reactions: Nevi and harlan4096

Andy Ful

Level 69
Verified
Trusted
Content Creator
Dec 23, 2014
5,876
How to do it though, when I tried this command, it no longer works.
I did it as follows:
  1. Run PowerShell console and execute the command:
    Invoke-MimiKatz
  2. The command should trigger the red alert:
    "This script contains malicious content and has been blocked by your antivirus software."
    This is a sign that AMSI works.
  3. Copy/paste the content of any script with AMSI bypass to the PowerShell console and try to execute it. You will see the red alert related to Constrained Language Mode:
    "Cannot invoke method. Method invocation is supported only on core types in this language mode."
  4. If you see the alert from point 2 instead, then it is a sign that the code from AMSI bypass was detected by Defender. If you will disable the Defender real-time protection, then you will see the alert from the point 3.
 
Last edited:
Top