Bypass Record

Masquerading × Microsoft Windows Defender

A publicly-reported instance of Masquerading bypassing Microsoft Windows Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Defender

Technique

Masquerading

MITRE ATT&CK

T1036

Confidence

High

Severity

High

Status

poc

Disclosed

2025-12-28

Config / version noted

Not stated

Provenance

medium.com
disclosed 2025-12-28 · original source · via exa

Reported as

Defender scans only the primary file stream but does not inspect the ADS content, allowing the malicious shellcode to remain undetected.

Mechanism

The loader uses CreateFileA to open a legitimate file's ADS (e.g., legit.txt:hidden.bin), reads the raw shellcode with ReadFile, allocates RWX memory via VirtualAlloc, and executes it via function pointer. Windows Defender scans the primary file stream but does not inspect the ADS content, allowing the malicious shellcode to remain undetected.

Detection & mitigation

Monitor for processes accessing NTFS Alternate Data Streams (ADS) via Sysmon Event ID 15 (FileCreateStreamHash) or Event ID 11 (FileCreate) with stream names, especially when followed by suspicious memory allocation (VirtualAlloc) and execution. Mitigation includes restricting ADS usage via AppLocker or Windows Defender Application Control (WDAC) and enabling real-time scanning of all file streams.

Masquerading has also been recorded against

Anti Cheat Expert Apple Carbon Black Cortex XDR Easy Anti-Cheat Enigma Protector Gepard Shield Mhyprot nProtect Palo Alto Networks Riot Vanguard Safegine Shielden

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.