Overview
If I’m a long-time CTF player (or HackTheBox lab machine player), things are gonna go a little off when I’m put into a real world scenario - meaning that, when facing a well defended Windows machine.
This article will summarize the main Windows defense mechanisms, to have an understanding of what you may encounter along the way.
Of course Linux machines will install anti-virus software too, but due to the huge market share and historical reasons (Windows being the main target of attacks), Windows are the one we’re going to talk about here.
We’re going to discuss Windows built-in anti-virus products and other protections in companion that Microsoft has made to improve Windows system security. These include Windows Defender, AppLocker, Attack Surface Reduction (ASR), and Windows Defender Application Control (WDAC).
At the time of writing, the ones mentioned above is the built-in defense line for cutting edge Windows workstations and servers.
We may discuss bypass techniques in detail in the future, but it is not the purpose of this article.
Let’s dive in.
Don’t Believe What You Hear
It will be a lot harder than simply drop someone an email with a malicious attachment and get a reverse shell or a beacon. Tricking someone to open the attachment and run the payload is the LOT easier part. The moment after clicking, if the payload is a raw one and has no evasion technique applied, nearly 100% of the time, it will be snatched by the first and most basic defense mechanism - Windows Defender.
Windows Defender is enabled as default on all Microsoft Windows system production lines (Legacy Windows 7s and 8s are off topic here). So, getting a foothold on a Windows machine, isn’t as trivial as it is and requires a lot more effort.
An example of default metasploit payload being detected and removed (Windows VM uses default setting, no tweaking of any kind).
Generating payload.
The moment touch the disk on a windows 10 workstation, Windows Defender pops up and removes the file.
Vanilla Beacon?
Way too easy for Windows Defender.
Windows Defense Mechanisms
Let’s look into the them one by one.