Fucks sake, Defender is now signaturing on builds of my v2 version of NtObjectManager, god knows why.
-
Fucks sake, Defender is now signaturing on builds of my v2 version of NtObjectManager, god knows why. I fucking hate MS and Defender especially.
-
R relay@relay.infosec.exchange shared this topic
-
Fucks sake, Defender is now signaturing on builds of my v2 version of NtObjectManager, god knows why. I fucking hate MS and Defender especially.
@tiraniddo it is a big pain in my butt as well. I keep on getting sporadic reports around Ansible’s execution scripts being flagged by Defender/AMSI. I would like it a bit more if there was ways of trying to get the hash verified in some official process to lower the detection but alas it’s just a black box.
-
Fucks sake, Defender is now signaturing on builds of my v2 version of NtObjectManager, god knows why. I fucking hate MS and Defender especially.
@tiraniddo I guess this is what happened:
1. You created NtApiDotNet and used it in dozens of PoCs submitted to MSRC
2. Defender team was tasked with creating detection for your PoCs, and the easiest way was to detect the use of NtApiDotNet, since it was mainly used for exploitation? -
@tiraniddo I guess this is what happened:
1. You created NtApiDotNet and used it in dozens of PoCs submitted to MSRC
2. Defender team was tasked with creating detection for your PoCs, and the easiest way was to detect the use of NtApiDotNet, since it was mainly used for exploitation?@oct0xor that's what caused v1 to be detected. In v2 I tried my best to refactor it until it stopped detecting and have never used it for a PoC since. Still, something must have decided to use it, or Defender is just detecting the use of a native API which happens to be used by malware somewhere.
-
R relay@relay.infosec.exchange shared this topic
