fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft Defender Weakness lets Hackers Bypass Malware Detection

Microsoft Defender Weakness lets Hackers Bypass Malware Detection

Threat actors can take advantage of a weakness that affects Microsoft Defender antivirus on Windows to learn locations excluded from scanning and plant malware there.

The issue has persisted for at least eight years, according to some users, and affects Windows 10 21H1 and Windows 10 21H2.

Lax permissions

Like any antivirus solution, Microsoft Defender lets users add locations (local or on the network) on their systems that should be excluded from malware scans.

People commonly make exclusions to prevent antivirus from affecting the functionality of legitimate applications that are erroneously detected as malware.

Also Read: The Importance of Data Protection Management System (DPMS)

Since the list of scanning exceptions differs from one user to another, it is useful information for an attacker on the system, since this gives them the locations where they can store malicious files without fear of being detected.

Security researchers discovered that the list of locations excluded from Microsoft Defender scanning is unprotected and any local user can access it.

Regardless of their permissions, local users can query the registry and learn the paths that Microsoft Defender is not allowed to check for malware or dangerous files.

No special permissions needed to read Microsoft Defender exclusions list

Antonio Cocomazzi, a SentinelOne threat researcher who is credited for reporting the RemotePotato0 vulnerability, points out that there is no protection for this information, which should be considered sensitive, and that running the “reg query” command reveals everything that Microsoft Defender is instructed not to scan, be it files, folders, extensions, or processes.

reg query command to show Microsoft Defender exclusions

Another security expert, Nathan McNulty, confirmed that the issue is present on Windows 10 versions 21H1 and 21H2 but it does not affect Windows 11.

McNulty also confirmed that one can grab the list of exclusions from the registry tree with entries that store Group Policy settings. This information is more sensitive as it provides exclusions for multiple computers.

A security architect versed in protecting the Microsoft stack, McNulty warns that Microsoft Defender on a server has “automatic exclusions that get enabled when specific roles or features are installed” and these do not cover custom locations.

Although a threat actor needs local access to get the Microsoft Defender exclusions list, this is far from being a hurdle. Many attackers are already on compromised corporate networks looking for a way to move laterally as stealthily as possible.

By knowing the list of Microsoft Defender exclusions, a threat actor that already compromised a Windows machine can then store and execute malware from the excluded folders without fear of being spotted.

Also Read:

In tests done by BleepingComputer, a malware strain executed from an excluded folder ran unhindered on the Windows system and triggered no alert from Microsoft Defender.

We used a sample of Conti ransomware and when it executed from a normal location Microsoft Defender kicked in and blocked the malware.

After placing Conti malware in an excluded folder and running it from there, Microsoft Defender did not show any warning and did not take any action, allowing the ransomware to encrypt the machine.

This Microsoft Defender weakness is not new and has been highlighted publicly in the past by Paul Bolton:

Unprotected Microsoft Defender exclusions
source: Paul Bolton

A senior security consultant says that they noticed the issue about eight years ago and recognized the advantage it provided to a malware developer.

“Always told myself that if I was some kind of malware dev I would just lookup the WD exclusions and make sure to drop my payload in an excluded folder and/or name it the same as an excluded filename or extension” – Aura

Given that it’s been this long and Microsoft has yet to address the problem, network administrators should consult the documentation for properly configuring Microsoft Defender exclusions on servers and local machines via group policies.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us