20. Evading Microsoft Defender Static Analysis

Evading Microsoft Defender Static Analysis

Introduction

This module provides an example using XOR, RC4, and AES encryption algorithms to bypass Microsoft Defender's static analysis engine. At this point of the modules, the payload is not being executed, rather it's simply being printed to the console. Therefore, this module will be focusing specifically on static/signature evasion.

Code Samples

There are 4 code samples available for download that this module uses. Each of the code samples is using a Msfvenom shellcode.

  1. Raw Shellcode - Detected by Defender
  1. XOR Encrypted Shellcode - Evades Defender successfully
  1. AES Encrypted Shellcode - Evades Defender successfully
  1. RC4 Encrypted Shellcode - Evades Defender successfully

The sections below show the binaries being executed and Microsoft Defender's response. Recall that Microsoft Defender has a pre-configured exclusion for the C:\Users\MalDevUser\Desktop\Module-Code folder.

XOR Encryption

AES Encryption

RC4 Encryption