Evading Microsoft Defender Static Analysis
This module provides an example using XOR, RC4, and AES encryption algorithms to bypass Microsoft Defender's static analysis engine. At this point of the modules, the payload is not being executed, rather it's simply being printed to the console. Therefore, this module will be focusing specifically on static/signature evasion.
There are 4 code samples available for download that this module uses. Each of the code samples is using a Msfvenom shellcode.
- Raw Shellcode - Detected by Defender
- XOR Encrypted Shellcode - Evades Defender successfully
- AES Encrypted Shellcode - Evades Defender successfully
- RC4 Encrypted Shellcode - Evades Defender successfully
The sections below show the binaries being executed and Microsoft Defender's response. Recall that Microsoft Defender has a pre-configured exclusion for the