Fucks sake, Defender is now signaturing on builds of my v2 version of NtObjectManager, god knows why. I fucking hate MS and Defender especially.

]]>https://board.circlewithadot.net/topic/9f573e1f-0a5c-432c-9c19-3d87aef2e8a5/fucks-sake-defender-is-now-signaturing-on-builds-of-my-v2-version-of-ntobjectmanager-god-knows-why.RSS for NodeFri, 01 May 2026 06:31:56 GMTTue, 07 Apr 2026 20:25:12 GMT60@oct0xor that's what caused v1 to be detected. In v2 I tried my best to refactor it until it stopped detecting and have never used it for a PoC since. Still, something must have decided to use it, or Defender is just detecting the use of a native API which happens to be used by malware somewhere.

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/tiraniddo/statuses/116438400917129515https://board.circlewithadot.net/post/https://infosec.exchange/users/tiraniddo/statuses/116438400917129515Mon, 20 Apr 2026 18:16:38 GMT@tiraniddo I guess this is what happened:
1. You created NtApiDotNet and used it in dozens of PoCs submitted to MSRC
2. Defender team was tasked with creating detection for your PoCs, and the easiest way was to detect the use of NtApiDotNet, since it was mainly used for exploitation?

]]>https://board.circlewithadot.net/post/https://mastodon.social/users/oct0xor/statuses/116435670240587553https://board.circlewithadot.net/post/https://mastodon.social/users/oct0xor/statuses/116435670240587553Mon, 20 Apr 2026 06:42:11 GMT@tiraniddo it is a big pain in my butt as well. I keep on getting sporadic reports around Ansible’s execution scripts being flagged by Defender/AMSI. I would like it a bit more if there was ways of trying to get the hash verified in some official process to lower the detection but alas it’s just a black box.

]]>https://board.circlewithadot.net/post/https://fosstodon.org/users/jborean/statuses/116367878796778347https://board.circlewithadot.net/post/https://fosstodon.org/users/jborean/statuses/116367878796778347Wed, 08 Apr 2026 07:21:56 GMT