Windows Defender Bypassed

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

it could just as easily be a malware binary a downloader a python script a vbs script anything but the moment we run it what's gonna happen is it is going to launch the ransomware and now windows defender is not detecting anything quick shout out to our sponsors crowdsec an open source intrusion prevention system when was the last time you heard that it's entirely free and all they want you to do is check out their github project so please take a couple of moments to click the link in description more at the end of this video hello everyone welcome to the pc security channel in this video we'll be talking about a deadly vulnerability in microsoft's windows defender that can allow any piece of malware to bypass it entirely so it doesn't matter whether windows defender detects this malware doesn't matter if you have the latest updates malware can completely bypass it so i'm going to demonstrate how this works but in order to do that we need to understand few concepts on the system first of all there's this command called reg query and what this does is queries a registry key so let's say we want to query the local machine software but we can go further so we're gonna go into microsoft and under that windows defender and now we're going to see all the things relevant to windows defender settings now if you look carefully you will find a key in here that says exclusions and if i want to query it again i can go ahead and say windows defender exclusions and now it's going to tell me the different types of exclusions that can be added so there can be extensions ip addresses now i'm going to go hats and boom it shows me the exclusions that i have set up on this machine why is this a problem well let's think you're a malware developer imagine if you had a way to know all the excluded folders someone has on their system you could simply move your malicious payload into the excluded folder but i'll show you in a minute why this is a massive problem now as is customary on the channel i have to run some ransomware per video so i'm gonna move matrix ransomware onto the system and as you can see windows defender immediately detects it because we do have it turned on and enabled on this vm so now you know that windows defender does have the capability to detect this threat but what if i used a separate downloader file a trojan that is going to get this ransomware and then search within the system for the excluded paths and download the ransomware and execute it from there and this is exactly how malware typically works the original downloader is not the payload you have program one that executes through a vulnerability and it's not malicious directly so it's not detected by the av doesn't do anything but then once it runs it downloads the malware payload how is that even possible you may ask how am i going to get infected without actually clicking on a link or downloading malware and running it myself well the answer is you don't have to do any of that your common sense doesn't come into the picture at all so i can type a command to start a bits transfer that goes from the source where we have this ransomware hosted temporarily don't worry i'm going to take it down to a given destination and as you can see i have set up the excluded directory here now in a malware program all of this can be done automatically so the malware can scan your system for the exclusions and then decide what directory to place the malware in as we execute this command what it's going to do it's going to go into this web address and start transferring the data directly into the folder and save it as payload.exe and after running this we have payload within our excluded folder now all we need to do is run it and all of this can be packed into one simple process so i'm gonna delete this for now and i'm gonna show you a powershell script that i've written a couple of minutes that is going to evade microsoft defender find the exclusions and run this very same ransomware on the system even though you've seen that it was blocked by windows defender before the reason this is possible is because this is not going to be detected by windows defender because it's just a one kilobyte powershell script it could just as easily be a malware binary a downloader a python script a vbs script anything but the moment we run it what's gonna happen is it is going to launch the ransomware and now windows defender is not detecting anything because the original file is not detected because it's not malicious and the actual malware payload has been moved into an exclusions folder because windows defender does not protect its exclusions i would consider this a pretty serious flaw so i would recommend anybody who is running windows defender on windows 10 go into your exclusions and you can do that by going into windows defender vars and threat protection settings scroll down here go into exclusions and remove anything that is over here because malware payload can easily bypass all of windows defenders protection by simply looking up this folder and abusing it so we've got the customary ransomware execution done for the video we can check documents and everything is encrypted matrix ransomware did its job we can look at the readme and all of this despite windows defender detecting this threat one simple flaw and it's bypassed entirely now interestingly the same exploit does not work in windows 11 so if we try to do the exact same thing here right click open terminal we try to query the registry for the same sort of key we can still see everything under windows defender but the moment we're going to try to access the exclusions here it's going to tell us access is denied so to microsoft's credit they have fixed this but not in windows 10 it took them windows 11 to do it so i would strongly recommend anybody who uses windows defender to upgrade to windows 11 if you want to use exclusions if you're still on windows 10 and using windows defender make sure you remove all your exclusions because a malware could just easily bypass your entire av act as if there's no av on the system as long as you have one exclusion one excluded folder and this could be the result so i hope you found this video helpful please like the video if you enjoyed it i'm planning a lot more exploit based videos there's another scary exploit in microsoft office right now and i'm thinking about covering that if you want to see that subscribe to the pc security channel now to our sponsors on the theme of free security products this video is brought to you by crowdsack a free open source intrusion prevention system the project is on github so you can check it out today and install it on your favorite linux box i've already set it up on ubuntu and it's super simple and easy to use crowdsake allows you to ingest alerts from various sources parse through the logs and build your own intrusion detection system you can set up custom rules leverage the community blacklist and automate your entire security process so if you're an individual or company looking to monitor alerts from various different sources this is a great tool to do it you can also deploy an agent on windows which is currently in alpha once you have it set up you're going to look at the crowdset console this is going to show you a bird's-eye view of all your agents scenarios and alerts you've also got access to cyber threat intelligence so this is where you can look up any kind of ip that you like so just going to paste malicious ip here and if we do a search it's going to give us the confidence level and the various actions associated with it so as you can see this one is flagged as bad actor the attack details show it's an http scanner and crawler you can see the reporting period and can also make a comment so it's very much community driven and while some parts of the project are still in development still in beta this is a great time to jump in and start playing around with the tools getting involved with the projects so check them out link in the description show them some love for supporting the pc security channel this is leo thank you so much for watching and as always stay informed stay secure

Info

Channel: The PC Security Channel

Views: 105,590

Rating: undefined out of 5

Keywords: The PC Security Channel, TPSC, cybersecurity, cyber security, computer security, internet security, antivirus, anti malware, ransomware, trojan, virus, PUP, best antivirus, best internet security, learn cybersecurity, hacking, hack, security, technology, cyber insurance, cybersecurity degree, best EDR, EDR, Windows Defender, Windows Defender Exploit, Windows Defender Exploited, Windows Defender vs Malware, Windows Defender Test, Microsoft Windows Defender, Windows Defender Fail

Id: ZCV1Wx3Qugg

Channel Id: undefined

Length: 8min 49sec (529 seconds)

Published: Sun Jun 05 2022