Abusing Defender Exclusions to Exfiltrate Credentials With LaZagne

Wow, I can’t believe this still works, but it does.

One of the biggest let-downs during any engagement, is getting your C2 implant blocked by AV/EDR.

All the OSINT, Social Engineering, and research has gone out the window, and the Security Operations Center (SoC) is lit up. 😡

I’m talking Carbon Black or SentinelOne , etc.

Windows Defender pretends to secure your computer, but with what I’m about to show you & countless AMSI bypasses – if you don’t believe Windows is broken by design , we can’t be friends.

Moving along.

We can’t make any changes to Defender’s settings without an elevated account. We’ll be using the infamous sdclt.exe UAC Bypass in order to accomplish our goal – adding wildcard extensions for all binaries before deploying LaZagne, using Windows' built-in certutil to encode and curl to exfiltrate the output to a public HTTP request inspector.

LOL, Yes – a UAC Bypass from 2017 can still lead to the complete take-over of a fully patched Windows 10 computer, even after detection:

# Leveraging UAC bypass (SDCLT.exe) to run our above script with Admin privileges.
$cmd = 'powershell.exe -executionpolicy bypass ' + $filename + ''
New-Item -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Value $cmd
New-ItemProperty -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Name "DelegateExecute"
Start-Process -FilePath $env:windir\system32\sdclt.exe

Results of “winver” command.

Our test subject is a Windows 10 LTSC VM on Version 20H2.

Defender definition last update

We have an up-to-date version of Defender’s definitions. Let’s go ahead and kick-off the payload…

Payload in action

You really should be running this PowerShell payload in a hidden window via the -w hidden flag if the goal is to stay inconspicuous.

As you can see, running the code results in a PowerShell window with Administrator privileges, which is adding our exclusions to Defender, allowing us to later run any malware of our choice.

You do have to move quickly, just like you can temporarily disable Defender, which automatically re-enables after a set period of time, it seems to remove all but the .zip exclusion – yet as you’ll see, the damage is already done.

# Sleep for 15 seconds Allow exceptions to register before downloading Stage 2.
Start-Sleep -s 15

15 seconds, in testing, appeared to be the magic amount of time to wait before moving forward with downloading Stage 2 of our payload. Otherwise, the exclusions didn’t have time to register, and AMSI caught the payload.

Exclusions added Hmm… Feels dangerous…😎

UAC bypass detected Defender history shows that it has detected the UAC bypass, but the Exclusions haven’t been removed!

Attack chain in action

With .exe and .dll in the Exclusions list, LaZagne is downloaded, ran, and the output exfiltrated to a third-party site, accessible from behind a VPN.

Hookbin Decoding is as easy as saving the request body to a file, and using certutil’s - decode flag to obtain our LaZagne output.

Decoding certutil-encoded LaZagne output Yes, I had to redact my GitLab password. 🦾

Source Code: https://github.com/jeffjbowie/Weaponry/blob/master/ExclusionDrop.ps1