Fancy Defender evasion? Yet another method, nearly bare hands: 1. Export CurrentControlSet to a file 2. Edit path in a file 3. Import a file as new ControlSet 4. Change "Select" values to new one 5. Reboot 6. Enjoy 😎 A side effect of my "Registry internals" session yesterday 😅

BTW if you think about responsible disclosure, the answer is quite simple: @msftsecresponse closes immediately reports related to Defender if you do not provide "Short explanation on how an attacker could use the information to exploit another user remotely".

You can get around pretty much all AVs this way. Addressing it would be super expensive performance wise. There’s really no good way to stop admins from doing nasty things.

One RegNotifyChangeKeyValue() watching the Select key.

is that method work only on admin account or non-priveleged also?

Admin only, due to two reasons: 1. RegSaveKey() / RegRestoreKey() restrictions, 2. Permissions on HKLM\SYSTEM and HKLM\SYSTEM\Select

@UK_Daniel_Card really cool!

could we run our own program instead? e.g. nsmpeng.exe ? snd would that have additional benefits?

Sure. You can add your own service after restoring the key. Or just edit paths in the binary file. Whatever is easier for you.

Lol nice

@Sug4r7 this is awesome! I also have similar research in this persistence topic and I’m planning to release it later this aug.but I might release it soon because of this great research! 😊👍

@Sug4r7 And what about publishing your research in parts? :)