Full Report
A new tool called 'Defendnot' can disable Microsoft Defender on Windows devices by registering a fake antivirus product, even when no real AV is installed. [...]
Analysis Summary
# Tool/Technique: Defendnot
## Overview
Defendnot is a publicly released tool designed to trick the Windows Security Center (WSC) API into disabling Microsoft Defender by registering a fake, but otherwise valid, antivirus product. It demonstrates a method for subverting built-in security features.
## Technical Details
- Type: Tool / Evasion Technique
- Platform: Windows
- Capabilities: Disables Microsoft Defender by spoofing WSC registration; persistence mechanism via Task Scheduler; configuration via `ctx.bin`.
- First Seen: Information not explicitly dated, but recent relative to the article's publishing.
## MITRE ATT&CK Mapping
- **TA0005 - Defense Evasion (Credential Access, Execution, Privilege Escalation)**
- **T1218 - System Binary Proxy Execution**
- **T1218.011 - System Binary Proxy Execution: Signed Binary Proxy Execution** (Leveraging injection into Taskmgr.exe)
- **TA0011 - Command and Control** (Implied, as disabling AV facilitates later C2 activity)
- **TA0003 - Persistence**
- **T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder** (Implemented via Windows Task Scheduler)
## Functionality
### Core Capabilities
- **WSC API Abuse:** Registers a dummy/fake antivirus product with the Windows Security Center (WSC) using application validation checks.
- **Disabling Defender:** Once successfully registered as the active antivirus, Microsoft Defender immediately shuts itself off.
- **Persistence:** Establishes persistence by creating an autorun entry via the Windows Task Scheduler upon successful execution, ensuring it restarts when the user logs in.
### Advanced Features
- **Process Injection:** Bypasses security checks (like Protected Process Light - PPL and signature validation) by dynamically injecting its required DLL into a trusted, signed system process, specifically `Taskmgr.exe`.
- **Configuration File:** Utilizes a `ctx.bin` file to pass configuration data, allowing users to set the spoofed antivirus name, disable registration, and enable verbose logging.
- **Self-Contained Development:** Built from scratch to avoid DMCA issues encountered by its predecessor (`no-defender`), which relied on third-party vendor code.
## Indicators of Compromise
- File Hashes: [Not specified in the text]
- File Names: [Not specified in the text, though configuration file is `ctx.bin`]
- Registry Keys: [Not explicitly detailed, but persistence relies on Task Scheduler modification]
- Network Indicators: [None specified in the text]
- Behavioral Indicators:
- DLL injection into `Taskmgr.exe`.
- Modifications to Windows Task Scheduler for user logon persistence.
- API calls associated with registering applications with or modifying the state of the Windows Security Center (WSC).
- Microsoft Defender detection signature: 'Win32/Sabsik.FL.!ml'.
## Associated Threat Actors
- Primarily described as a research project by security researcher 'es3n1n'. Associated threat actors are not explicitly named, but its capabilities are relevant for criminal groups.
## Detection Methods
- Signature-based detection: Microsoft Defender currently detects and quarantines it as 'Win32/Sabsik.FL.!ml'.
- Behavioral detection: Monitoring for process injection into `Taskmgr.exe`, modifications to WSC registration APIs, and creation of new user logon tasks via Task Scheduler.
- YARA rules: [Not available based on the summary]
## Mitigation Strategies
- **Configuration Control:** Restrict systems from allowing unauthorized applications to interact with or register via the WSC API.
- **Monitoring Process Integrity:** Monitor for unauthorized process injection, especially into trusted Microsoft binaries like `Taskmgr.exe`.
- **Endpoint Hardening:** Ensure robust endpoint detection and response (EDR) monitoring is in place to catch the persistence mechanism established via Task Scheduler for user sessions.
## Related Tools/Techniques
- **no-defender:** The predecessor tool by the same developer, which was taken down via DMCA for reusing third-party antivirus code.