Defender Bypass With .PIF Extensions

Learn a new method for bypassing Windows Defender security mechanisms using PIF extensions.

Defender Bypass With .PIF Extensions

Hello Secjuice drinkers, this time x0xr00t returns with a method to bypass windows defender security mechanisms. The method I discovered myself a couple of months back when I first found and tested it.

We create obfuscated powershell code and pipe it with powershell $(), convert that to b64 we pipe it with powershell $() , we also need b64 decode.ps1 with powershell $() pipe, and convert that ps1 file to a exe, then rename this to .pif (.pif = shortcut msdos) which exec as a exe.

We can exec ps code from low restricted user with this methods. Thus we are bypassing the security mechanism of defender and exec ps code whilst, we are on a low user that is restricted from ps execution. A threat actor could use this method to deliver their payloads. If a threat actor ties to this, a file-less delivery of a local exploit that's not patched, or 0day, the threat actor then can escalate up to admin, where he|she, then can automate the stealing of system process id's, to gain full control on the kernel level, after this he|she can deliver let's say a ransomware package to file-lock the system.

To back up my claim of the automation stealing process I submitted a fully weaponized UAC bypass code to MSRC, that has an automated phase of stealing the process id ,to gain NT Authority system, and renamed windows defender folders to windows fuck. MSRC has this piece of code handed to the MSRC UAC devel team for future development and improvement of the UAC.

Microsoft Security Response Center
"Hi Patrick, Thanks again for submitting your report. After further evaluation, I have forwarded your report to the UAC team for awareness and potential opportunity for future review to improve our product"

I'm not gonna release the files submitted to MSRC, nor will I release the files that automate the NT Authority impersonation process to get kernel levels, which rename defender into windows fuck, nor will I release the crafted sl0ppy-oppg tool that automated the process of payload gen.

Besides that, you can let your mind run wild, and guess how it should be implemented and staged.  The gif shows the example, bypassing defender detection, executing powershell code from a restricted low user acct, and run get-computer info through the pif extensions.


 
But don't let us waste any more time, and lets get to the how to...

This bypass would be done with some sophistication methods. For this we will need the following stuff:

These things would be needed, to craft these type payloads.

  • ps2exe
  • invoke Obfuscation
  • Optional : encrypt decrypt base64 ps
  • ps1
  • rename file
  • edit powershell obfuscator source code to gen larger payloads !!!

The how to

  • put 'get-computerinfo' or any other payload to ps1.
  • open obfuscator dir in ps and enter 'Import-Module ./Invoke-Obfuscation.psd1' & 'Invoke-Obfuscation'
  • set scriptpath
  • compress\1 encoding\5 encoding\5 encoding\5
  • Copy output and add | powershell $()
  • Copy full sting and convert to b64`
  • Make file.ps1 with decrypt b64 add on the end | powershell $()
  • Replace string b64 with the output of your b64 obfuscated payload
  • Convert b64 decode.ps1 to exe
  • open 'ps2exe.exe or run the ps1' and gen .exe from ps1 file 'set scriptpath C:\whatever/whatever.ps1' and output 'C:\whatever\'
  • rename .exe to sum.pif 'rename-Item -Path "sum.exe" -NewName "sum.pif"'


Extra info

  • u can either use b64 in the beginning, or use it when the obfuscated code has been generated...
  • i tested both, and both methods would work
  • the b.pif that been made, has been generated with..>> obfuscated ps code converted to b64 before spinning out the exe


    Generated file to evade defender in the github repo.
  • {!} b.pif


Files :
https://github.com/x0xr00t/sl0ppy-defender-evasion

Youtube vid poc

https://www.youtube.com/watch?v=oHOsRgMxlrs

Legal Disclaimer:

I am not responsible for U using it on non authorized systems, make sure u use it on systems u own or are authorized on.

x0xr00t