Bypass Windows Defender with A Simple Shell Loader
One of the most simplistic ways to get past Windows Defender is to roll your own shell code loader. There are hundreds of examples on GitHub, GitLab, and BitBucket but, this post is going to break it down and provide a simple framework that Red Teams and Penetration Testers alike can use.
This tutorial does not result in a final “tool” although, it will have complete and compilable code. I know I know, C# is not compiled, it’s JIT, but for the sake a brevity, I’m calling it compiled.
Before jumping right in, here is a list of resources that will help answer questions and concerns you may have while reading this post (AKA: I won’t define/detail every aspect of the exploit and only highlight important and kick-ass things):
- Simple-Loader Repository – The code I developed and that is displayed below.
- C++/C# VirtualAlloc Function
- Sharpsploit.dll – DLL of common and useful C# exploitation methods including shellcode injection (Useful when looking for code).
- Hiding Metasploit Shellcode by Rapid7 – I’m not using any of the methods from this post but, this has a good write-up on how Defender/AMSI works and why your shellcode is being popped by Defender.
Here’s my system and build information for reference.
- Language: C#
- .NET Framework 4.0 (Cross compile to whatever you like)
- Visual Studio 17 (community)
- Build Architecture: x86
- Shell Code: MSFVenom windows/exec
msfvenom -a x86 -p windows/exec cmd=calc.exe -f csharp
- Windows 10 Version 1809
- Fully Patched and Updated (5/24/2019)
- Defender Real-Time and Online protection Enabled
- Firewall Enabled
As of writing this (5/24/2019), Windows defender client Machine Learning system is able to easily detect stock Metasploit payloads. That’s not surprising. The question I asked myself was, to what extent do I need to go to to build a standalone binary that will execute a payload without the binary being flagged as malicious?
When I say to what extent, I am talking about coding techniques and byte code obfuscation. For example, would simply Base64 encoding a byte object work for us? The short answer is, No.
Initial testing consisted of generating a simple
calc.exe execution payload where the shell code (C# byte Array) would be loaded and executed in memory using VirtualAlloc().
After building the x86 Release exe, moving the exe to the desktop, and executing it, Defender flagged it as malicious and promptly removed the executable from the system.
Looking at Event 1116 from above, it looks like Defender is flagging on the known formatting of Metasploit. Defender is saying this is a Win32 Meterpreter payload which, it’s not. Microsoft doesn’t care as long as it catches a known Metasploit byte signature. The good news is we might just be able to encode or encrypt the payload to bypass Defender.
It’s helpful to understand what we are trying to defeat. We know, initially, we are trying to defeat the Windows Defender Client Side Machine Learning (Client ML) subsystem and most 3rd party EDR and AV products. Things we want to avoid are massive Base64 strings because of their large entropy values. This will be immediately flagged by most EDR/AV products.
Other things we want to avoid are immediate shellcode execution for Windows Defender heuristic reasons. Defender and some EDR/AV products will be smart enough to remove sleep functions from your code so, depending on your Client/Target, this may or may not be an anti-forensics technique you utilize. My first thought was to have an base64 decoding and AES256 decryption routine to get the payload ready for execution. This would also delay execution by a few hundred milliseconds.
It turns out, that’s all that was needed. I have an Encrypt() and Decrypt() function in my code that utilizes AES 256. A user can encrypt and encode their data with the Simple-Loader tool to get the final shellcode encrypted blob in Base64 encoding.
The repository is a quick and dirty one as this is just a simple example. However, here is a breakdown on how to use it:
- Open the Simple-Loader.sln in Visual Studio
- Double click Program.cs
- Goto Build –> Build Simple-Loader
- A new Binary will be located in
- A new Binary will be located in
- Generate a payload with msfvenom and save to text file.
msfvenom -p windows/exec cmd=calc.exe -f csharp -o payload.txt
- Encrypt and Encode the payload with the Simple-Loader.exe binary.
- Take the output from Simple-Loader and replace the Sting
hiphopwith your new payload.
- Re-Build the binary and you’re good to go!
Hopefully this helps shed some light on the simplicity of bypassing Windows Defender on a fully patched system!