Detection Avoidance

Metamorphic cross-compilation of C++ & C-code to PIC, BOF & EXE. - GitHub - tijme/dittobytes: Metamorphic cross-compilation of C++ & C-code to PIC, BOF & EXE.

Rather than tampering with Defender processes or registry keys, DefendNot takes a different approach by registering a fake antivirus through the Windows Security Center (WSC) COM interface. Because Defender is built to step aside when third-party antivirus software is present, this spoofed registration triggers Windows’ own conflict resolution logic. Technical Breakdown: Abusing Windows’ Own Conflict Resolution At the core of DefendNot’s technique is the Windows Security Center (WSC), a native Windows component responsible for managing security products like antivirus and EDR solutions. It registers itself as a fake antivirus inside WSC, convincing Windows to do the work of disabling Defender on its behalf. These paths are normally used by Windows to track legitimate antivirus products. Once those keys are in place, WSC accepts the registration as valid and replaces the Defender entry with the spoofed antivirus. Detection Mechanisms Although Microsoft Defender for Endpoint’s logging is degraded once DefendNot is active, defenders can still detect its activity. Each of these contains a GUID that may appear arbitrary, but these GUIDs represent the spoofed antivirus registered by DefendNot alongside the legitimate Defender entry. The registry entries also store metadata pointing to the DLL responsible for handling antivirus or AMSI functions, giving defenders another way to confirm tampering. Detection Opportunities Monitoring for registry modification and creation events under the following keys can provide strong indicators of DefendNot’s presence: HKLM\SOFTWARE\Microsoft\Security Center\Provider\AV HKLM\SOFTWARE\Microsoft\AMSI\Providers\ WMI\AutoLogger\DefenderAuditLogger WMI\AutoLogger\DefenderApiLogger HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks We've published detection and threat hunting criteria to help security teams identify DefendNot activity. This involves: Deleting persistence-related registry keys under the TaskCache path Removing spoofed provider entries at: HKLM\SOFTWARE\Microsoft\Security Center\Provider\Av HKLM\SYSTEM\CurrentControlSet\Services\AMSI\Providers Deleting the associated DLL listed in the InProcServer32 path under the spoofed antivirus GUID Once these artifacts are removed, restart the machine and confirm Defender’s operational status by running: Get-MpComputerStatus This validation ensures that spoofed antivirus registrations have been cleared and that Microsoft Defender is once again actively protecting the system. Instead of disabling Microsoft Defender through brute force techniques, it convinces Windows that another antivirus product is already installed and trusted. Attackers are increasingly building tools designed to blind security products, whether through aggressive EDRKillers like KillerUltra or deceptive techniques like DefendNot.

A new technique that can be used to bypass memory scanners. This can be useful in hiding problematic code (such as reflective loaders implemented by C2 beacons) or other problematic executables tha...

Macro-header for compile-time C obfuscation (tcc, win x86/x64) - DosX-dev/obfus.h

Section-based payload obfuscation technique for x64 - pygrum/gimmick

A technique that can be used to bypass AV/EDR memory scanners. This can be used to hide well-known and detected shellcodes (such as msfvenom) by performing on-the-fly decryption of individual encry...

Guaranteed compile-time string literal obfuscation header-only library for C++14

The first step in reversing any binary for any purpose is to try and elicit any meaningful information that is most easy to retrieve. One such information is clear text strings in the binary. They may disclose a lot of information if the programmer did not take care to remove …

Remove AV/EDR Kernel ObRegisterCallbacks、CmRegisterCallback、MiniFilter Callback、PsSetCreateProcessNotifyRoutine Callback、PsSetCreateThreadNotifyRoutine Callback、PsSetLoadImageNotifyRoutine Callback...

C++ self-Injecting dropper based on various EDR evasion techniques.

DKMC - Dont kill my cat - Malicious payload evasion tool

Yo, how’s it going everyone. Sorry it’s been a while since my last post. Fear not, I’m geared up and ready to dive in to a full discussion on Malware evasive maneuvers…specifically, .js files for the first drops on a machine. Oh and yes, you’re reading that correctly. I said .js, because believe it or not it is still actively used and HIGHLY effective at bypassing your most common EDR solutions today. Why is that? Well, it’s likely due to a few reasons:

AMSI.fail generates obfuscated PowerShell snippets that break or disable AMSI for the current process.

A Payload Loader Designed With Advanced Evasion Features - GitHub - NUL0x4C/TerraLdr: A Payload Loader Designed With Advanced Evasion Features

PE obfuscator with Evasion in mind. Contribute to TheD1rkMtr/PE-Obfuscator development by creating an account on GitHub.

Generate an obfuscated DLL that will disable AMSI & ETW

Abusing mhyprotect to kill AVs / EDRs / XDRs / Protected Processes.