FalconFriday — AV Manipulation — 0xFF0E

Post-Image

FalconFriday — AV Manipulation — 0xFF0E

Today’s blog is based on Olaf Hartong’s recent research on malware behavior at scale. In this edition, we’ll look at how malware tampers with the local Windows Defender AV and how you can detect it.

TL;DR for blue teams: You can use this rule as an early indicator of a potential compromise. At the very least, someone is weakening your defenses. 

TL;DR for red teams: Avoid using the PowerShell APIs for disabling the Defender AV.

Cross post from medium.com, please read the full article here:

https://medium.com/falconforce/falconfriday-av-manipulation-0xff0e-67ed4387f9ab

Direct link to our Github page:

https://github.com/FalconForceTeam/FalconFriday