How to fool the Microsoft Defender and other anti-virus systems.
During the Penetration Testing, if you come across a Windows OS, in most cases it will be protected at least by the basic anti-virus system called "Microsoft Defender". In this article, you will learn how to bypass it and some of the other anti-viruses to avoid seeing the below message:
The operation did not complete successfully because the file contains a virus or potentially unwanted software.
BEFORE YOU START
- You should turn off Automatic sample submission to not deliver the samples to Microsoft during the test.
- Additionally, you should turn off the real-time protection or add the working directory to the Microsoft Defender Exclusion list.
Foothold can be obtained in two ways using malware delivery.
1. SOCIAL ENGINEERING
In all of the following techniques, the victim should be persuaded to perform additional actions, such as clicking on the downloaded malware or hooking up an external device. Some examples are provided below:
- Delivering the malware using the email with a malicious attachment.
For example, it could be a Microsoft Word Document with macro.
- Sending the victim a download link to the malware.
- Connecting an external device to the organization's machine.
2. EXPLOITING A VULNERABLE WEBSERVER
Another approach may be to try to exploit one of the organization’s machines by uploading malware directly to the webserver and trying to execute it.