Bypass Windows Defender ATP

Introduction

Last month, I was playing with Advanced Threat Protection (ATP) from Microsoft to figure out some technique to bypass it. I was looking for a way to avoid ATP and dump the LSASS process without being detected.

What is Advanced Threat Protection (ATP)

Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.

Defender for Endpoint uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:

Endpoint behavioral sensors: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated, cloud instance of Microsoft Defender for Endpoint.

Cloud security analytics: Leveraging big-data, device learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products (such as Office 365), and online assets, behavioral signals are translated into insights, detections, and recommended responses to advanced threats.

Threat intelligence: Generated by Microsoft hunters, security teams, and augmented by threat intelligence provided by partners, threat intelligence enables Defender for Endpoint to identify attacker tools, techniques, and procedures, and generate alerts when they are observed in collected sensor data.

Short Story Behind the Bypass

After analyzing the behavior of Advanced Threat Protection (ATP), I found a blind spot in "C:\Program Files". The question here is, how did I find it?

Actually, I was using Process Hacker to dump the LSASS process. After a while, I expected ATP to detect it as a malicious action/behavior, but it did not happen!

At that point, I wondered why it wasn't detected by ATP. So I took a step back and tried the portable version of Process Hacker again to dump LSASS, but I was caught by ATP in this time.

From this moment, I realized that there was a blind spot. So I moved the portable version of Process Hacker from "C:\Users\User\Desktop" to "C:\Program Files" reran it, and dumped the LSASS process without being detected this time.

Proof of Concept (PoC)

Let's jump to the PoC for this bypass. I made two PoCs.

Powershell Payload Dropper

The first was by Powershell as a dropper to drop the portable version of Process Hacker to "C:\Program Files". Because Process Hacker does not support the command line, I used the ShellWindows object to send keys to the GUI.

Offensive-Snippets/PowerShell/Bypass_Windows_Defender_ATP_To_Dump_LSASS_PoC.ps1 at main · 0xAbdullah/Offensive-SnippetsGitHub

C#

The second is by Custom C# code without dropping anything -You don't need to use Process Hacker-.

Let's Meme it

Test Cases

In the following table, some actions were taken by Advanced Threat Protection (ATP) -Block mode enabled- with different paths when I ran Process Hacker to dump the LSASS process.

Note

Tested on Windows 11 Pro.

- OS build: 10.0.22000.

- Version: 21H2.

Advanced Threat Protection (ATP).

- Block mode: Enabled.

Posted on 10/28/2022.

Last update on 10/30/2022.

References

Microsoft Defender for Endpoint - Microsoft Defender for EndpointMicrosoftLearn

ShellWindows object (Exdisp.h) - Win32 appsMicrosoftLearn

What’s new in Windows Defender ATP | Microsoft Security BlogMicrosoft Security Blog