Bypassing Windows Defender VBA custom code

Question

I've recently written a simple keylogger using classic DLL-injection technique. I wanted to simulate a real phishing attack where the user opens an Office document with macros and by enabling them he downloads and runs my keylogger. While the keylogger itself is not being recognized as a thread, the VBA script is.

I've searched for a similar question and I've only found questions about how to obfuscate metasploit/empire payloads. I've even tried some of them, but they all got recognized as a threat (I've used msfvenom shinkata as encoder).

I don't want to use any existing tools. I'd like to learn how Windows Defender recognizes that piece of VBA script as malicious. I've read that it uses both signature-based scanning along with runtime execution analysis. All bypassing techniques which I've found on internet tried to obfuscate code which in my understanding can only try to bypass the signature scanning part.

Environment: default Windows 10 configuration

Also if any of you know a way to force Windows Defender to tell me why it recognized my code as a threat (for example "use of unsafe function", etc) it would be super helpful!

Answer 1

You need to Obfuscate the VBA Script in order to make it FUD (Fully UnDetectable)

You can use the ChrW() function, which allows you to type ASCII characters instead of the actual characters themselves.

If you could share your code maybe we could try to assist you with this ("use of unsafe function"). I advise you to dive into someone else's code in github and try to check out their steps in order to verify your code, you'll be able to notice a difference.

Answer 2

Not directly answering your request, but take a look at Defender Check (https://github.com/matterpreter/DefenderCheck)

It compiles in VS2019 and allows you to scan any file, just turn Real Time scanning off.

My own research has found that Defender wont flag the VBA code a lot of the time if its been through basic obfuscation, and thats the case even if you unzip the doc and scan the raw macro text files.

You are probably getting flagged on the runtime analysis, and youll see that from the Defender Check.

Try doing things like mixing up the order of your WinAPI calls, obfuscating static strings, obfuscating "shellcode" (if any), sometimes basic things like switching from VirtualAlloc to HealAlloc will get around Defender.

Here is some example output from scanning a doc:

C:\Users\...\DefenderCheck-master\DefenderCheck\DefenderCheck\bin\Debug>DefenderCheck.exe C:\Microsoft_IRM_Protected.doc
Target file size: 66016 bytes
Analyzing...

[!] Identified end of bad bytes at offset 0x14AC9 in the original file
File matched signature: "Trojan:Script/Wacatac.B!ml"

00000000   D0 10 00 03 04 52 62 70  A2 CD 10 00 03 04 52 73   з···Rbp¢Í····Rs
00000010   69 10 D0 10 00 03 04 52  64 69 E5 CD 10 00 02 04   i·Ð····RdiåÍ····
00000020   52 38 E7 5E 10 00 02 04  52 39 E8 5E 10 00 03 04   R8ç^····R9è^····
00000030   52 31 30 0D CB 10 00 50  00 52 00 4F 00 4A 00 45   R10·Ë··P·R·O·J·E
00000040   00 43 00 54 00 77 00 6D  00 00 00 00 00 00 00 00   ·C·T·w·m········
00000050   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ················
00000060   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ················
00000070   00 00 00 00 00 00 00 14  00 02 00 FF FF FF FF FF   ···········ÿÿÿÿÿ
00000080   FF FF FF FF FF FF FF 00  00 00 00 00 00 00 00 00   ÿÿÿÿÿÿÿ·········
00000090   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ················
000000A0   00 00 00 00 00 00 00 00  00 00 00 1F 00 00 00 47   ···············G
000000B0   00 00 00 00 00 00 00 50  00 52 00 4F 00 4A 00 45   ·······P·R·O·J·E
000000C0   00 43 00 54 00 00 00 00  00 00 00 00 00 00 00 00   ·C·T············
000000D0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ················
000000E0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ················
000000F0   00 00 00 00 00 00 00 10  00 02 01 0B 00 00 00 10   ················