Report evasion techniques

%3CLINGO-SUB%20id%3D%22lingo-sub-2230469%22%20slang%3D%22en-US%22%3EReport%20evasion%20techniques%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2230469%22%20slang%3D%22en-US%22%3E%3CP%3EHi!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20wonder%20if%20there%20is%20any%20kind%20of%20contact%20address%20where%20we%20can%20report%20e.g.%20evasion%20techniques%20which%20are%20working%20to%20fly%20under%20the%20defender%20for%20endpoint%20radar.%3C%2FP%3E%3CP%3EOur%20pen%20tests%20which%20are%20regularly%20done%20showed%20us%20a%20few%20ways%20to%20infect%20a%20machine%20including%20communication%20to%20a%20c%26amp%3Bc%20server%20without%20being%20alarmed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOf%20course%20there%20are%20other%20measures%20we%20can%20take%20before%20such%20things%20happen%2C%20but%20i%20wonder%20if%20Microsoft%20itself%20is%20interested%20in%20such%20findings%20to%20make%20defenders%20capabilities%20even%20better.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnother%20(public)%20example%20(which%20i%20havent%20tried%20by%20myself%20but%20the%20article%20is%20pretty%20current)%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fmedium.com%2Fcsis-techblog%2Fsilencing-microsoft-defender-for-endpoint-using-firewall-rules-3839a8bf8d18%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmedium.com%2Fcsis-techblog%2Fsilencing-microsoft-defender-for-endpoint-using-firewall-rules-3839a8bf8d18%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20i%20said%2C%20i%20havent%20tried%20it%20by%20myself%20yet%2C%20but%20if%20this%20is%20still%20working%20-%26gt%3B%20would%20it%20make%20sense%20to%20get%20in%20touch%20with%20the%20product%20guys%20for%20defender%20in%20any%20way%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBR%3CBR%20%2F%3E%22DefenderAdmin%22%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2235187%22%20slang%3D%22en-US%22%3ERe%3A%20Report%20evasion%20techniques%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2235187%22%20slang%3D%22en-US%22%3E%3CP%3EUpdate%3A%20i%20just%20tried%20the%20evasion%20technique%20for%20which%20i%20gave%20a%20link%20before%20-%26gt%3B%20not%20working%20any%20longer%20(it%20is%20prevented%20and%20generates%20alarms%3B%20which%20is%20a%20good%20thing%20i%20guess%20%3A)%3C%2Fimg%3E%20)%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi!

 

I wonder if there is any kind of contact address where we can report e.g. evasion techniques which are working to fly under the defender for endpoint radar.

Our pen tests which are regularly done showed us a few ways to infect a machine including communication to a c&c server without being alarmed.

 

Of course there are other measures we can take before such things happen, but i wonder if Microsoft itself is interested in such findings to make defenders capabilities even better.

 

Another (public) example (which i havent tried by myself but the article is pretty current):

https://medium.com/csis-techblog/silencing-microsoft-defender-for-endpoint-using-firewall-rules-3839...

 

As i said, i havent tried it by myself yet, but if this is still working -> would it make sense to get in touch with the product guys for defender in any way?

 

BR
"DefenderAdmin"

3 Replies

Update: i just tried the evasion technique for which i gave a link before -> not working any longer (it is prevented and generates alarms; which is a good thing i guess :) )

Great!!

In such cases, we can also prevent modifications made to Windows Defender firewall (via group policy) etc.,

In the future, you can use our Microsoft Security Intelligence portal to report malicious files, URLs, etc. here: Antimalware and cybersecurity portal - Microsoft Security Intelligence