Can Malware Disable Windows Defender?
0This malware can disable Windows Defender - lets find out how!
Support us on GH: https://guidedhacking.com/register/
Support us on Patreon: / guidedhacking
Support us on YT: / @guidedhacking
Windows Defender Disabling Malware Text Article:
https://guidedhacking.com/threads/ana...
Windows defender is the bane of most commodity malware, in this video we'll be looking at a piece of malware that attempts to elevate its privilege's and then disable windows defender. This kind of operation is incredibly useful for us to understand as it begins to touch on the fundamentals of Windows processes and how Windows Defenders privilege's function.
During our malware analysis of the binary we see that it written in .NET. The malware begins by checking the permissions of the running processes by calling Windows APIs to determine the owner. It'll then check if the owner name contains "NT". The highest privilege's of process in a Windows sytem is ran by "NT-SYSTEM". This level of privilege's is necessary for the malware to attempt to disable Windows Defender. The malware checks if it's running at this level and if not will attempt to elevate itself before disabling defender. To accomplish this the malware will use a technique to duplicate the token of winlogon. WinLogon is a high privilege's process which is ran with the "NT-System" privilege's level. The malware runs OpenProcessToken to grab the token of this process and duplicates it. It then sets startup info for a new process and calls DuplicateTokenEx to duplicate the token of winlogon. Once that's done it'll get the location of our process and create a new process for it using this high privilege's Token that was taken from winlogon.
Now that the binary is running with higher privilege's then the malware will continue to disable windows defender. Windows Defender runs with permissions to access files and to disable it all you need to do is remove this access. So now that we have the permissions to do this it will call open process on the Windows Defender process and then get the process token of the processes privilege level. Once that's completed it creates a structure and will populate it with the ML_UNTRUSTED SID. Once the structure has been populated then the malware will convert this structure into a pointer that can be used to apply to the process. Finally the malware will call SetTokenInformation and set the untrusted level onto the Windows Defender process which will remove its access to scan files. This is a very useful method for actors to attempt to disable Windows Defender.
In the context of malware analysis, it's often necessary to disable Windows Defender, the default antivirus solution provided by Microsoft. While Windows Defender typically offers robust protection against various forms of malware, in the controlled environment of a malware analysis lab, it can interfere with the investigative process by automatically removing or quarantining the malware sample. Therefore, a malware analyst often needs to disable Windows Defender temporarily, enabling them to examine the malware's behavior without interruption.
However, it's important to note that disabling Windows Defender should only be done in a controlled, isolated environment specifically designated for malware analysis. In regular use, Windows Defender provides essential protection.
Understanding Windows privilege escalation is another key aspect of Windows malware analysis. Many types of Windows malware attempt to escalate their privileges, i.e., gain higher levels of access or control over the system than they initially have.
Additionally, Windows Defender test scenarios form a vital part of the malware analysis process. By testing how Windows Defender reacts to different forms of malware, analysts can gain insights into how malware might bypass Windows Defender in a real-world scenario. These tests help improve the detection capabilities of Windows Defender and contribute to the development of more robust defense strategies against Windows malware.
Despite its robust detection capabilities, some sophisticated Windows malware can bypass Windows Defender. These malware types often use a combination of obfuscation techniques, such as packing or encryption, and exploit vulnerabilities in the system or the antivirus software itself.
Follow us on Facebook : http://bit.ly/2vvHfhk
Follow us on Twitter : http://bit.ly/3bC7J1i
Follow us on Twitch : http://bit.ly/39ywOZ2
Follow us on Reddit : http://bit.ly/3bvOB57
Follow us on GitHub : http://bit.ly/2HoNXIS
Follow us on Instagram : http://bit.ly/2SoDOlu
Analyzing Malware that Disables Windows Defender
Malware
Windows Defender
Antivirus
Privilege escalation
Token manipulation
Process access
Malware analysis
Windows API
SetTokenInformation
OpenProcessToken
DuplicateTokenEx
Disable antivirus
Cybersecurity
Threat analysis