Windows Defender vs. Rubeus: Who will win?
Celia CatalánIntroduction
In the previous edition, we discussed how to evade Rubeus by understanding and analyzing the YARA rules that serve as the detection basis. However, this was not enough, as when trying to run the tool in an environment with Windows Defender, it was still being detected. This is because there are still additional security measures that need to be bypassed, and this is precisely what we will address in this entry.
Aim
"We continue to focus on evading static binary analysis, so the main strategy remains its modification. Windows Defender does not provide a list of detection rules in the same way that YARA rules do, which makes the detection and evasion process more tedious and challenging."
For this task, we will use a tool developed by Daniel Duggan called ThreatCheck. This tool exploits the Windows Defender scanning binary to perform multiple queries, using a "divide and conquer" algorithm-based approach.
The process is relatively simple: the binary is divided in half, and each segment is scanned until the portion marked by Windows Defender as malicious is identified. Then, that portion is subdivided into smaller fragments, repeating the process until the exact area that triggers the detection is located. Unlike YARA rules, which return all executions marked as malicious, ThreatCheck does not operate this way. Once the first detection is modified, if there are more problematic segments, it will be necessary to repeat the scan until the binary is completely clean.
Example
For the following example, we will use the same Rubeus binary after applying the yara rules. Before starting the scan, Windows Defender must be disabled, so it does not scan and delete the binary.
The execution format of the tool is as follows.
In the first iteration, it detects a section of the binary that makes multiple references to the word "Ticket" in the function names.
It should be noted that certain changes may lead to altering the functionality of the application. In the following image, it can be observed that changing "ticket" to "boletu" modifies an initial parameter.
The final version of Rubeus will not consider /ticket, but /boletu for subsequent executions. It is important to take into account the "case sensitive" and modify "ticket" and "Ticket" respectively with the selected option.
"Once the modification is made, Rubeus is no longer detected in the previous byte section and a new detection appears again due to calls to the DiffieHellMan functions. By modifying the word 'DiffieHellmanKey' to 'DiffieHellmanClave', detection should be avoided."
"Finally, another segment of bytes detected as malicious is shown referring to tickets ".kirbi". This extension is highly detectable, so by modifying the output literal to ".rosa", it is possible to evade."
A new iteration on the binary should mark Rubeus as an undetectable binary. If we enable Windows Defender and add the AMSI scanning option, in this case it will not find any detections, leaving Rubeus completely evaded in the proposed lab.
"If at any point in the process the following result or similar is obtained, it is due to the compilation mode used in Visual Studio."
"Modifying to x64 in 'Release' mode would prevent detection. This is because debug mode leaves different traces that can be easily detectable by antivirus if there are any rules in place."
Conclusions
In this delivery, we have explored various techniques for effectively evading Windows Defender, one of the most widely used protection systems in corporate and personal environments. Our focus has been on the removal of Indicators of Compromise (IOC) and characteristic traces of known tools, which are often quickly identified and blocked in protected systems. However, in real-world scenarios, the complexity of detection mechanisms is considerably greater, making these basic modifications insufficient against advanced Antivirus (AV) solutions and, especially, those of Endpoint Detection and Response (EDR).
To better understand these challenges, it is essential to analyze the factors that hinder evasion in environments with advanced security solutions:
- Proprietary detection rules: Each security product has a set of rules designed to identify suspicious activities. These rules are not public and vary between manufacturers, meaning that what works against one solution may fail against another. Many of these rules are continuously updated, causing previously functional evasion techniques to become obsolete in a short time. Additionally, some solutions use artificial intelligence to identify variations in attack patterns, making them even harder to evade.
- Dynamic and heuristic analysis: In addition to using signatures to detect threats, modern EDRs incorporate behavior analysis technologies. This means that they not only look for known patterns in executable files but also monitor their interaction with the operating system in real time. For example, if a tool attempts to inject code into another process or access credentials, an alert may be triggered without the need for a specific signature. Some solutions even create controlled environments or sandboxes to run potential threats and analyze their behavior before allowing their execution on the real system.
Despite having automation tools, effective evasion of defenses requires more than just applying known techniques. It is crucial to understand in depth both the functioning of the tools to be used and the environment in which they will be executed. Additionally, it is essential to stay updated on advancements in detection and to develop dynamic approaches that allow for continuous adaptation to the evolution of security solutions. In many cases, the combination of several techniques and constant testing in laboratory environments can make the difference between being detected or going unnoticed.
Axel Losantos, Senior Offensive Security Consultant at Zerolynx (by Cybertix).
