Get a FREE Report of the Software Running in Your Environment - Including Risks & Countries of Origin
Back to Blogs Back to Press Releases
Cybersecurity in the News: Windows Defender Bypass blog header image

Windows Defender Bypass

Table of Contents

About Windows Defender and the Bypass Vulnerability 

Many organizations rely on Windows Defender as their only line of defense regarding cybersecurity. Windows Defender uses a blacklist approach to stop threats. Before allowing a file to execute, it will compare the file against its database of known threats. If a match occurs, the system flags the file as malicious and stops it from executing.

We demonstrate an exploit of the Windows Defender update process to delete a threat from its database. Since the threat is no longer in its database, it will not flag it as malicious or stop it from executing.

What Version of Windows Defender Vulnerable Versions 

Windows Defender versions prior to 4.18.2303.8 are vulnerable to CVE-2023-24934. To find out what version of Windows Defender you are running, execute the following PowerShell command. 

Get-MpComputerStatus | Select-Object EngineVersion, AMRunning, AMServiceVersion 

 

Screenshot of PowerShell being used to show Windows Defender version 
Screenshot of PowerShell being used to show Windows Defender version

How Can a Hacker Bypass Windows Defender?  

An attacker can delete a threat from the Windows Defender signature database by hijacking the Windows Defender update process. In our example, we attempted to download and run the Mimikatz tool, a well-known hacking tool that extracts unencrypted credentials from memory on the victim's computer.

Windows Defender detected it and stopped its execution. We then pushed a fake update, removing mimikatz from the known threats database. After the update, we were able to download and run Mimikatz.

How to Mitigate Windows Defender Vulnerability 

If you can, patch Windows Defender immediately. ThreatLocker customers with Application Allowlisting are still protected from unauthorized applications, such as Mimikatz, running on their systems. 

See How Windows Defender Bypass Works 

Watch as Cybersecurity Engineer Ivan Fonseca demonstrates disabling Windows Defender and allowing Mimikatz to run:

Demonstration Timestamps

  • 0:00:09 – Run the wd-pretender.py exploit, creating a malicious update that removes all references to Mimikatz from Windows Defender 
  • 0:01:07 – Show Windows Defender flagging mimikatz.exe as malicious and preventing the download 
  • 0:02:21 – wd-pretender.py has finished running and created a malicious update 
  • 0:02:44 – Run MpSigStub.exe, which will trick Windows Defender into updating 
  • 0:03:34 – Show successful download of mimikatz.exe 
  • 0:04:41 – Show successful execution of mimikatz.exe 
  • 0:05:09 – Show Mimikatz successfully dumping credentials 

 

References: 

  1. For a detailed breakdown of the exploit, read this article by Safebreach  
  2. Tool used in demonstration: Wd-pretender.py