Threat Research

Detecting Malicious Security Product Bypass Techniques

Huntress
Detecting Malicious Security Product Bypass Techniques

defendnot is a sophisticated tool designed to disable Windows Defender by registering a fake antivirus product using undocumented Windows Security Center (WSC) APIs, thereby evading traditional detection methods. The article emphasizes defensive strategies, including Sigma rule implementations and behavioral detection techniques, to identify and prevent defendnot’s multi-stage evasion process. #defendnot #WindowsSecurityCenter #TaskmgrInjection

Keypoints

  • defendnot disables Windows Defender by registering a fabricated antivirus through undocumented WSC COM interfaces, bypassing conventional registry or policy modification methods.
  • The tool injects its malicious DLL into trusted system processes, primarily Taskmgr.exe, to evade detection and achieve elevated privileges.
  • defendnot was rebuilt from scratch by reverse engineering WSC internals, improving upon the previous no-defender project.
  • Multiple detection opportunities exist across the attack chain, including process creation, file system changes (ctx.bin creation), DLL injection, and registry modifications.
  • Robust detection is best achieved by focusing on behavioral and technique-based indicators rather than ephemeral file hashes or static IOCs.
  • The tool’s attack flow includes initial execution, argument parsing, process injection, fake AV registration, optional persistence setup, and ultimate Windows Defender disabling.
  • Detection strategies combining Sigma rules, Sysmon event monitoring, and analysis of WSC API abuses substantially increase defense robustness.

MITRE Techniques

  • [T1218] Signed Binary Proxy Execution – defendnot injects malicious DLLs into Taskmgr.exe, a trusted Windows process, to disguise its activities (“inject defendnot.dll into victim process (taskmgr.exe by default)”).
  • [T1574.002] Hijack Execution Flow: DLL Search Order Hijacking – defendnot loads its DLL into Taskmgr.exe to execute under the context of a trusted process (“defendnot.dll Loaded Via Taskmgr”).
  • [T1543.003] Create or Modify System Process: Windows Service – defendnot uses WSC IWscAvStatus interface to register a fake antivirus as a legitimate service (“register fake AV via IWscAvStatus Interface”).
  • [T1112] Modify Registry – defendnot creates new registry entries related to security center AV products to facilitate disabling Windows Defender (“creation of specific registry entries… crucial indicators”).
  • [T1055] Process Injection – defendnot performs classic DLL injection and uses CreateRemoteThread to execute code in Taskmgr.exe (“performing the creation/execution of the remote thread – Sysmon EID 8”).
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – optionally, defendnot establishes persistence through autorun registry entries and scheduled tasks (“register AutoRun (Optional)”).

Indicators of Compromise

  • [File Names] defendnot-loader.exe, defendnot.dll – main executable and injected DLL used in execution and injection phases.
  • [Registry Keys] Security Center AV registration keys – new registry entries created to reflect fake AV presence and Defender disabling.
  • [Processes] Taskmgr.exe – privileged process targeted for DLL injection to evade detection and execute code within trusted context.
  • [Files] ctx.bin – configuration or encrypted payload file created during argument parsing phase.
  • [Scheduled Tasks] Autorun or scheduled tasks – optionally created to maintain persistence across reboots.

Read more: https://www.huntress.com/blog/defendnot-detecting-malicious-security-product-bypass-techniques