As it seems that Windows Defender Windows 11 can be bypassed, allowing malware to bypass the sandbox and gain access to the operating system.
Security researcher @ an0n_r0 describes the security gap with very little information, but allows various conclusions to be drawn.
The researcher chose Windows 11 to test its security Windows Defender. His goal was to escape the sandbox, which is supposed to isolate malicious code. So he wrote an encrypted shell that sends the malicious code to memory.
The whole process can be activated remotely. In the following tweet, the screenshots show that all the steps of the attack worked and the shell code was able to recover data from Windows and display it in a window.
# windows11 Defender bypass (worked for #meterpreter):
- basic sandbox evasion
- decrypt encrypted shellcode to memory
- create process in suspended state
- copy shellcode into allocated mem in remote process
- create remote threadthat's all. no need for special arsenal. :) pic.twitter.com/YZNB6sV0mN
- an0n (@ an0n_r0) October 18, 2021
The security investigator did not provide further details on how he accomplished these steps, but said he was "working with Meterpeter."
Meterpreter is a payload for attacks through Metasploit. Provides an interactive shell, through which an attacker can explore the target computer and run code.
The Meterpreter works using DLL injection in memory and the malicious code is loaded entirely into memory. It does not write anything to the hard disk, nor does it create new processes. So the imprint of such an attack is very limited.