BIPI
BIPI

Windows Defender Evasion: Signatures, Behavioral, Cloud Lookups

Cybersecurity

Defender is no longer free AV, it is a tier-one EDR. How signature, behavioral, and cloud-delivered protection layers work, where they fail, and which evasions still pay off in 2024.

By Arjun Raghavan, Security & Systems Lead, BIPI · April 26, 2025 · 11 min read

#defender#evasion#edr#red-team#amsi

Defender is three engines, not one

  • Static signatures: classic YARA-like, fast, evaded by obfuscation
  • Behavioral monitoring: ETW plus kernel callbacks, harder to dodge
  • Cloud-delivered protection (MAPS): real-time lookup, ML correlation

Signature evasion still works (a little)

Compile your own Mimikatz from source, strip strings, randomize symbol names. Defender flags the public binary by SHA but loses confidence on bespoke builds. SafetyKatz uses ConfuserEx and in-memory unpacking to dodge static signatures.

Behavioral wins almost every time

Defender's behavioral engine watches LSASS access, suspicious parent-child trees, named pipe creation patterns. You can rename Mimikatz to notepad.exe and it still gets flagged when it opens LSASS with PROCESS_VM_READ.

LSASS access evasion

  • SilentTrinity or NanoDump for handle duplication via seclogon
  • MiniDumpWriteDump with PssCaptureSnapshot (PSS_CAPTURE_HANDLES)
  • Use COM hijack into svchost to inherit a SYSTEM token with LSASS access
  • Read LSASS from suspended target instead of live process

Cloud lookup is the killer

MAPS samples suspicious files to Microsoft and gets back a verdict in seconds. ML on the cloud side catches packers and reflective loaders that local engines miss. Disabling cloud protection is the single biggest evasion win, and the single biggest forensic giveaway.

BYOVD: bring your own vulnerable driver

CVE-2024-21338 (AppLocker driver) and the long lineage of vulnerable drivers (RTCore64.sys, Procexp152.sys, gdrv.sys) let attackers disable Defender's kernel callbacks. EDRSandblast and Backstab automate the loading. Microsoft's vulnerable driver blocklist closes the easy ones.

Process injection that survives behavioral

  • Module stomping: hollow a benign DLL already loaded in target
  • Early Cascade and Process Doppelganging variants
  • Hardware breakpoint hooks via SetThreadContext (no API calls)
  • Direct syscalls (Hell's Gate, Halo's Gate) to bypass userland hooks

Detection that defenders should trust

  • Event 1116/1117 (Defender threat detected/action taken)
  • Event 5007 (config changed) catches MAPS being disabled
  • Defender for Endpoint Advanced Hunting queries on LSASS access patterns
  • Sysmon Event 10 with GrantedAccess 0x1410 or 0x1010 on LSASS
  • ASR audit mode logs in Defender admin center

Hardening that compounds

  • Enable all ASR rules in audit, then enforce after exception tuning
  • Cloud-delivered protection set to High block level
  • Tamper protection on, plus Intune attack surface management
  • Microsoft vulnerable driver blocklist enforced via WDAC
  • Credential Guard plus HVCI to neuter LSASS dumping
100%
Defender ATP detection rate on public Mimikatz
<30%
Detection rate on compiled SafetyKatz with custom build
very high
ASR rule "Block credential stealing" prevention rate
Defender in 2024 is a serious EDR. Treat it like CrowdStrike, not like 2016 MSE.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.