By-passing Anti-Malware
Powershell provides a great platform to mess around with Defender
If you want to support me, follow me on Patreon: https://www.patreon.com/malienistMS Powershell is a very powerful tool that MS has provided to the administrators. It can easily be used by malware authors to try to by-pass Windows Defender, the Microsoft anti-malware application that has a large user-base.
Section 1
First, let’s take a look at what features that are available in Powershell to work with anti-malware.
Add-MpPreference
Modifies settings for Windows Defender.
Get-MpComputerStatus
Gets the status of anti-malware software on the computer.
Get-MpPreference
Gets preferences for the Windows Defender scans and updates.
Get-MpThreat
Gets the history of threats detected on the computer.
Get-MpThreatCatalog
Gets known threats from the definitions catalog.
Get-MpThreatDetection
Gets active and past malware threats that Windows Defender detected.
Remove-MpPreference
Removes exclusions or default actions.
Remove-MpThreat
Removes active threats from a computer.
Set-MpPreference
Configures preferences for Windows Defender scans and updates.
Start-MpScan
Starts a scan on a computer.
Start-MpWDOScan
Starts a Windows Defender offline scan.
Update-MpSignature
Updates the anti-malware definitions on a computer.
Section 2
Now let’s take a look at how these functions can be used by malware to control the AV (Defender) solution.
Add-MpPreference
This is the most commonly used functions as it allows malware to bypass Defender quite easily and in a smart way.
-ExclusionPath
CPU Stack
|CommandLine = “powershell.exe -Command “& {Add-MpPreference -ExclusionPath C:\ProgramData\fe85c0daf0f1d090cf66}””As you can see in the above example, malware is using Poweshell to Exclude a certain directory from Defender so that it is not monitored or scanned for threats. Brilliant!
The dir “C:\ProgramData\fe85c0daf0f1d090cf66" is then created by the malware and a copy of itself is dropped in that dir and executed from there.
Now lets take a look at all the other options that can be coded into the malware to use these functions to the fullest!
-ExclusionExtension
This option can be used to exclude a certain extension from scheduled, custom, and real-time scanning. This cmdlet adds the file name extensions to the exclusions. Eg. ‘.exe’.
-ExclusionProcess
Specifies an array of processes, as paths to process images. This can be used to exclude a malicious process started by the malware.
-Force
Forces the command to run without asking for user confirmation. This way the user is not aware of the command being run in the background as there is no user-interaction.
-ThreatIDDefaultAction_Ids
This could be a used by malware in a very effective way. If the malware is using known, classified threats as part of execution, they can use the ID number (given by Microsoft) to specifically allow these to be executed by Defender. Look at the example below:
powershell.exe Powershell -nologo -noninteractive -windowStyle hidden -noprofile -command Add-MpPreference -ThreatIDDefaultAction_Ids 2147685180 -ThreatIDDefaultAction_Actions Allow -Force;Get-MpComputerStatus
This cmdlet gets the status of antimalware software installed on the computer. This can be then used to carryout execution or drop it.
Get-MpThreat
This can be used to get the history of threats that Windows Defender detected on the computer. The cmdlet can be run to target specific threats as you can see in the below example:
Get-MpThreat -ThreatID 2147685180Set-MpPreference
This function can be used very effectively by malware to bypass AV. Let’s take a look at the cmdlets that can be used by malware:
-DisableBehaviorMonitoring
This is a very dangerous cmdlet! It does exactly what it says — disables behaviour monitoring. Malware like Trickbot have been known to use it before fully execution so that the AV does not detect the malware.
-DisableEmailScanning
If this value is set to $True, that’s the end of all email scanning. Windows Defender can parse the mailbox and mail files, according to their specific format, in order to analyze mail bodies and attachments. Windows Defender supports several formats, including .pst, .dbx, .mbx, .mime, and .binhex. But if this cmdlet is run using Powershell to enable it, all email scanning is stopped. Great feature to use in a staging malware, clearing the way for the next malware to be delivered through email.
-DisableIntrusionPreventionSystem
This is another great feature that malware can use to disable all network protection against exploitation of known vulnerabilities.
-DisableRealtimeMonitoring
Again, a very effective anti-av feature that malware can use to execute itself without being stopped by the AV. Trickbot has been known to use this feature to disable realtime monitoring.
Conclusion
As you can see in this article, there are so many features that are provided by MS to control Defender using Powershell. A lot of these are very useful for SysAdmins to do their jobs but it is very easy to use these in malware to by-pass the AV. There are more features that I haven’t covered here but could potentially be used to by-pass the AV if applied ‘creatively’.
