Defender-Pretender: When Windows Defender Updates Become a Security Risk

Presented at DEF CON 31 (2023), Aug. 11, 2023, 12:30 p.m. (45 minutes)

The signature update process is critical to EDR's effectiveness against emerging threats. The security update process must be highly secured, as demonstrated by the Flame malware attack that leveraged a rogue certificate for lateral movement. Nation-state capabilities are typically required for such an attack, given that signature update files are digitally signed by Microsoft. We wondered if we could achieve similar capabilities running as an unprivileged user without possessing a rough certificate, instead we aimed to turn the original Windows Defender process to our full control. In this talk we will deep dive into Windows Defender architecture, the signature database format and the update process, with a focus on the security verification logic. We will explain how an attacker can completely compromise any Windows agent or server, including those used by enterprises, by exploiting a powerful 0day vulnerability that even we didn't expect to discover. We will demonstrate Defender-Pretender, a tool we developed to achieve neutralization of the EDR. allowing any already known malicious code to run Fully Un-Detected. It can also force Defender to delete admin’s data. OS and driver files, resulting in an unrecoverable OS. We will also explain how an attacker can alter Defender's detection and mitigation logic.

Presenters:

• Tomer Bar - VP of Security Research at SafeBreach Labs
  Tomer Bar is a hands-on security researcher with 20 years of unique experience in cyber security. He leads SafeBreach Labs as the VP of security research. In the past, he ran research groups for the Israeli government and then led the endpoint malware research for Palo Alto Networks. His main interests are vulnerability research, reverse engineering, and APT research. Among his recent discoveries are the PrintDemon vulnerabilities in the Windows Spooler mechanism which were a candidate in the best privilege escalation of Pwnie awards and several research studies on Iranian APT campaigns. He presented his research at DEF CON (28-30), BlackHat USA, ReCon, Sector, Confidence, Security Fest and HackCon conferences.
• Omer Attias - Security Researcher at SafeBreach Labs
  Omer Attias is an accomplished security researcher with over five years of experience in the field of cybersecurity. He currently works as a researcher at SafeBreach Labs. With a background in the Ministry of Defense and the Israeli Defense Forces (IDF), Omer has honed his skills in network research, including a deep understanding of Windows internals and Linux kernel components. In addition to his professional pursuits, Omer is a passionate technology and science enthusiast who is always eager to explore emerging trends and innovations in these fields.

Links:

• https://forum.defcon.org/node/245737

Similar Presentations:

• VB2018 / Windows Defender under the microscope: a reverse engineer's perspective
• Black Hat Europe 2021 / Windows Defender - Demystifying and Bypassing ASR by Understanding the AV's Signatures
• Summercon 2018 / REVERSE ENGINEERING WINDOWS DEFENDER ANTIVIRUS