This course aims to help learners understand and bypass Attack Surface Reduction (ASR) in Windows Defender by delving into the antivirus software's signature format. By the end of the course, students will be able to identify and exploit vulnerabilities in ASR rules, analyze Windows Defender signatures, and develop techniques for signature evasion. The course covers topics such as ASR implementation, signature modules, threat analysis, and update mechanisms. The teaching method includes theoretical explanations, practical demonstrations, and hands-on exercises. This course is intended for cybersecurity professionals, penetration testers, system administrators, and anyone interested in understanding antivirus evasion techniques.
Windows Defender - Demystifying and Bypassing ASR by Understanding the AV's Signatures
Overview
Syllabus
Intro
ASR: Attack Surface Reduction
Journey
Windows Defender 101
Exploring WD internals
WD: instrumentation
Test your skills!
Hunting for ASR rule implementation
Windows Defender signatures
Reading LUA scripts
ASR: Implementation?
ASR implementation. 2 way
ASR Test Tool: implementation
ASR: working test
ASR: exclusion
ASR: additional bypass
ASR: oddities
Signature format
Signatures modules
Specifics Threat
Signature: LUA
Signature: DBVAR
Signatures: update
Update rhythm
Update: oddities
Update: diffing - Friendly Files
Update diffing: C&C
Update diffing: unnecessary changes
Taught by
Black Hat
