About Windows Defender and the Bypass Vulnerability
Many organizations rely on Windows Defender as their only line of defense regarding cybersecurity. Windows Defender uses a blacklist approach to stop threats. Before allowing a file to execute, it will compare the file against its database of known threats. If a match occurs, the system flags the file as malicious and stops it from executing.
We demonstrate an exploit of the Windows Defender update process to delete a threat from its database. Since the threat is no longer in its database, it will not flag it as malicious or stop it from executing.
What Version of Windows Defender Vulnerable Versions
Windows Defender versions prior to 4.18.2303.8 are vulnerable to CVE-2023-24934. To find out what version of Windows Defender you are running, execute the following PowerShell command.
Get-MpComputerStatus | Select-Object EngineVersion, AMRunning, AMServiceVersion
How Can a Hacker Bypass Windows Defender?
An attacker can delete a threat from the Windows Defender signature database by hijacking the Windows Defender update process. In our example, we attempted to download and run the Mimikatz tool, a well-known hacking tool that extracts unencrypted credentials from memory on the victim's computer.
Windows Defender detected it and stopped its execution. We then pushed a fake update, removing mimikatz from the known threats database. After the update, we were able to download and run Mimikatz.
How to Mitigate Windows Defender Vulnerability
If you can, patch Windows Defender immediately. ThreatLocker customers with Application Allowlisting are still protected from unauthorized applications, such as Mimikatz, running on their systems.
See How Windows Defender Bypass Works
Watch as Cybersecurity Engineer Ivan Fonseca demonstrates disabling Windows Defender and allowing Mimikatz to run:
- 0:00:09 – Run the wd-pretender.py exploit, creating a malicious update that removes all references to Mimikatz from Windows Defender
- 0:01:07 – Show Windows Defender flagging mimikatz.exe as malicious and preventing the download
- 0:02:21 – wd-pretender.py has finished running and created a malicious update
- 0:02:44 – Run MpSigStub.exe, which will trick Windows Defender into updating
- 0:03:34 – Show successful download of mimikatz.exe
- 0:04:41 – Show successful execution of mimikatz.exe
- 0:05:09 – Show Mimikatz successfully dumping credentials
- For a detailed breakdown of the exploit, read this article by Safebreach
- Tool used in demonstration: Wd-pretender.py