Bypass Windows Defender ATP

Introduction

Last month, I was playing with Advanced Threat Protection (ATP) from Microsoft to figure out some technique to bypass it. I was looking for a way to avoid ATP and dump the LSASS process without being detected.

What is Advanced Threat Protection (ATP)

Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
Defender for Endpoint uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
Endpoint behavioral sensors: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated, cloud instance of Microsoft Defender for Endpoint.
Cloud security analytics: Leveraging big-data, device learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products (such as Office 365), and online assets, behavioral signals are translated into insights, detections, and recommended responses to advanced threats.
Threat intelligence: Generated by Microsoft hunters, security teams, and augmented by threat intelligence provided by partners, threat intelligence enables Defender for Endpoint to identify attacker tools, techniques, and procedures, and generate alerts when they are observed in collected sensor data.

Short Story Behind the Bypass

After analyzing the behavior of Advanced Threat Protection (ATP), I found a blind spot in "C:\Program Files". The question here is, how did I find it?

Actually, I was using Process Hacker to dump the LSASS process. After a while, I expected ATP to detect it as a malicious action/behavior, but it did not happen!

At that point, I wondered why it wasn't detected by ATP. So I took a step back and tried the portable version of Process Hacker again to dump LSASS, but I was caught by ATP in this time.

From this moment, I realized that there was a blind spot. So I moved the portable version of Process Hacker from "C:\Users\User\Desktop" to "C:\Program Files" reran it, and dumped the LSASS process without being detected this time.

Proof of Concept (PoC)

Let's jump to the PoC for this bypass. I made two PoCs.

Powershell Payload Dropper

The first was by Powershell as a dropper to drop the portable version of Process Hacker to "C:\Program Files". Because Process Hacker does not support the command line, I used the ShellWindows object to send keys to the GUI.

8MB

PowerShell_PoC.mp4

Offensive-Snippets/Bypass_Windows_Defender_ATP_To_Dump_LSASS_PoC.ps1 at main · 0xAbdullah/Offensive-SnippetsGitHub

C#

The second is by Custom C# code without dropping anything -You don't need to use Process Hacker-.

Let's Meme it

Test Cases

In the following table, some actions were taken by Advanced Threat Protection (ATP) -Block mode enabled- with different paths when I ran Process Hacker to dump the LSASS process.

Path Prevented Detected

Path	Prevented	Detected
`C:\Users\User\Desktop`	True	True
`C:\Program Files`	False	False
`C:\Program Files (x86)`	False	False
`C:\ProgramData\Microsoft\`	False	True
`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp`	False	True

C:\Users\User\Desktop

True

C:\Program Files

False

C:\Program Files (x86)

False

C:\ProgramData\Microsoft\

False

True

C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp

False

True