Yet Another Windows Defender Evasion Technique

[Wiz]

Hello people, as we know there is always a way to bypass security since everything is human made.

Here is another way to bypass windows defender.

1. Export CurrentControlSet to a file
2. Edit path in a file
3. Import a file as new ControlSet
4. Change "Select" values to new one
5. Reboot

PoC Video:

 

[varwar]

High integrity requires I suggest. If so, why not just overwrite the original branch at "Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mp*" or it's recovering to the original value after reboot? Sorry, can't test this assumption now.

 

[Wiz]

High integrity requires I suggest. If so, why not just overwrite the original branch at "Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mp*" or it's recovering to the original value after reboot? Sorry, can't test this assumption now.

Yes, thats why I created another branch and redirect to there.

 

[user]

where is the evasion technique? XD

 

[varwar]

Взято отсюда

 

[Wiz]

Взято отсюда

Fancy Defender evasion? Yet another method, nearly bare hands:
1. Export CurrentControlSet to a file
2. Edit path in a file
3. Import a file as new ControlSet
4. Change "Select" values to new one
5. Reboot
6. Enjoy 😎
A side effect of my "Registry internals" session yesterday 😅 pic.twitter.com/3dLNW9SGzd

— Grzegorz Tworek (@0gtweet) July 28, 2023

credits? thanks ))

 

[alex778]

Grzegorz Tworek

О, курва! Респект мужику.

 

[varwar]

credits? thanks ))

Put the original source is not a crime here, rather the opposite.