Obfuscation / Packing × Microsoft Windows Defender

A publicly-reported instance of Obfuscation / Packing bypassing Microsoft Windows Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Defender

Technique

Obfuscation / Packing

MITRE ATT&CK

T1027

Confidence

High

Severity

Medium

Status

poc

Disclosed

2024-02-27

Config / version noted

Not stated

Provenance

github.com
disclosed 2024-02-27 · original source · via exa

Reported as

generates beacons designed to evade antivirus detection, specifically bypassing Windows Defender

Mechanism

The plugin uses Zig to compile a stripped, single-threaded beacon executable that evades signature-based detection by Windows Defender. It integrates into Cobalt Strike's attack menu for quick generation.

Detection & mitigation

Monitor for newly created executables with high entropy, unusual section characteristics, or low prevalence in the environment using endpoint telemetry and static file analysis. Deploy application control policies and ensure antivirus signatures are updated to detect packed or obfuscated payloads.

Obfuscation / Packing has also been recorded against

Bitdefender Elastic ESET

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.