Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can we Bypass Windows Defender ? #12

Open
DungLeMTA opened this issue Jun 3, 2022 · 5 comments
Open

Can we Bypass Windows Defender ? #12

DungLeMTA opened this issue Jun 3, 2022 · 5 comments

Comments

@DungLeMTA
Copy link

Can we use the malicious word document and bypass Windows Defender ?

@El-Vim55
Copy link

El-Vim55 commented Jun 7, 2022

My educated guess is: until Microsoft themselves resolve the Zero-Day it will remain undetected by Windows Defender, I'm probably wrong though.

You can also read this: https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/follina-microsoft-office-zero-day-cve-2022-30190.html#:~:text=The%20'Follina'%20zero%2Dday,can%20bypass%20Windows%20Defender%20detection.

@lakshya2207
Copy link

My educated guess is: until Microsoft themselves resolve the Zero-Day it will remain undetected by Windows Defender, I'm probably wrong though.

You can also read this: https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/follina-microsoft-office-zero-day-cve-2022-30190.html#:~:text=The%20'Follina'%20zero%2Dday,can%20bypass%20Windows%20Defender%20detection.

John Hammond already has submitted the fault to the Microsoft team and if the system is up to date windows will surely detect the vulnerability

@El-Vim55
Copy link

@lakshya2207 Ah ok, thanks for letting us know!

@ElizabethHanson1999
Copy link

ElizabethHanson1999 commented Oct 18, 2022

Hi

I tried the exploit and i have a question now :
The exploit is done when the Windows Defender is off. dose it mean the vulnerability still exists in msdt service. and Windows prevents it just using defender? if so, what would it be if we obfuscatethe html payload ? dose it bypass the antivirus. how defender is preventing this exploit ? it's signature base or it prevents calling msdt through web ?
this is the message i got from the windows antivirus :

image

Is there a way to change html_payload in the code ?

@DungLeMTA
Copy link
Author

DungLeMTA commented Oct 18, 2022

@ElizabethHanson1999 I tried it, I tried obfuscating html payload but Windows Defender caught any powershell commands, so it is not effective

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants