Loading video...

Video Failed to Load

Go Home

Fancy Defender evasion? Yet another method, nearly bare hands: 1. Export CurrentControlSet to a file 2. Edit path in a file 3. Import a file as new ControlSet 4. Change "Select" values to new one 5. Reboot 6. Enjoy 😎 A side effect of my "Registry internals" session yesterday 😅

74,059 views • 2 years ago •via X (Twitter)

11 Comments

Grzegorz Tworek's profile picture
Grzegorz Tworek2 years ago

BTW if you think about responsible disclosure, the answer is quite simple: @msftsecresponse closes immediately reports related to Defender if you do not provide "Short explanation on how an attacker could use the information to exploit another user remotely".

imag0r's profile picture
imag0r2 years ago

You can get around pretty much all AVs this way. Addressing it would be super expensive performance wise. There’s really no good way to stop admins from doing nasty things.

Grzegorz Tworek's profile picture
Grzegorz Tworek2 years ago

One RegNotifyChangeKeyValue() watching the Select key.

Daniel Mielczarek's profile picture
Daniel Mielczarek2 years ago

is that method work only on admin account or non-priveleged also?

Grzegorz Tworek's profile picture
Grzegorz Tworek2 years ago

Admin only, due to two reasons: 1. RegSaveKey() / RegRestoreKey() restrictions, 2. Permissions on HKLM\SYSTEM and HKLM\SYSTEM\Select

Advanced Persistent Dread's profile picture
Advanced Persistent Dread2 years ago

@UK_Daniel_Card really cool!

Advanced Persistent Dread's profile picture
Advanced Persistent Dread2 years ago

could we run our own program instead? e.g. nsmpeng.exe ? snd would that have additional benefits?

Grzegorz Tworek's profile picture
Grzegorz Tworek2 years ago

Sure. You can add your own service after restoring the key. Or just edit paths in the binary file. Whatever is easier for you.

spencer's profile picture
spencer2 years ago

Lol nice

Br3akp0int's profile picture
Br3akp0int2 years ago

@Sug4r7 this is awesome! I also have similar research in this persistence topic and I’m planning to release it later this aug.but I might release it soon because of this great research! 😊👍

Grzegorz Tworek's profile picture
Grzegorz Tworek2 years ago

@Sug4r7 And what about publishing your research in parts? :)

Related Videos