Obfuscation / Packing × Microsoft Defender Antivirus

A publicly-reported instance of Obfuscation / Packing bypassing Microsoft Defender Antivirus, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Defender Antivirus

Technique

Obfuscation / Packing

MITRE ATT&CK

T1027

Confidence

High

Severity

Medium

Status

poc

Disclosed

2024-05-29

Config / version noted

Not stated

Provenance

www.dotsec.com
disclosed 2024-05-29 · original source · via raw

Reported as

bypass Microsoft Defender detection for the SharpC2 .NET drone executable

Mechanism

The SharpC2 drone.dll is obfuscated using ConfuserEx2 with rename-only obfuscation, while classes using .NET Reflection are excluded to maintain functionality. The obfuscated DLL is then embedded into the final executable. This reduces entropy and avoids static signatures (BluntC2, Wacatac ML) that previously triggered on the unobfuscated payload.

Detection & mitigation

Monitor for .NET assemblies with high entropy or obfuscation characteristics (e.g., ConfuserEx artifacts). Implement behavior-based detection focusing on reflective loading, C2 communication patterns, and anomalous process behavior. Ensure Defender's cloud-delivered protection and behavior monitoring are enabled.

Obfuscation / Packing has also been recorded against

Bitdefender Elastic ESET

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.