Obfuscation / Packing × Microsoft Windows Defender

A publicly-reported instance of Obfuscation / Packing bypassing Microsoft Windows Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Defender

Technique

Obfuscation / Packing

MITRE ATT&CK

T1027

Confidence

High

Severity

Medium

Status

poc

Disclosed

2024-06-26

Config / version noted

Not stated

Provenance

kaganeglence.com
disclosed 2024-06-26 · original source · via raw

Reported as

bypassing signature-based detection in Windows Defender... defeats static signature-based detection

Mechanism

Shellcode is encrypted with a static XOR key, embedded in a Go binary, decrypted at runtime, and executed in memory using VirtualProtect to change memory permissions. This defeats static signature-based detection because the encrypted payload does not match known malware signatures.

Detection & mitigation

Monitor for processes making suspicious VirtualProtect calls with PAGE_EXECUTE_READWRITE permissions, especially from unsigned or newly created binaries. Enable AMSI and behavioral analysis to detect in-memory shellcode execution patterns.

Obfuscation / Packing has also been recorded against

Bitdefender Elastic ESET

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.