Defense-Evasion on HackingPassion.com : root@HackingPassion.com-[~]https://hackingpassion.com/tags/defense-evasion/Recent content in Defense-Evasion on HackingPassion.com : root@HackingPassion.com-[~]HugoenThu, 21 May 2026 12:22:26 +0200GhostTree Makes Windows Defender Stop Scanning With Two Lines of Codehttps://hackingpassion.com/ghosttree-ntfs-defender-bypass/Thu, 21 May 2026 12:22:26 +0200https://hackingpassion.com/ghosttree-ntfs-defender-bypass/<p><strong>GhostTree</strong> makes Windows Defender stop scanning. Two lines of code, no admin rights, and malware sitting right next to it goes completely undetected. A Varonis researcher published it today, confirmed it works, and Microsoft&rsquo;s first response was that this does not count as a security issue. Then they patched it anyway.</p> <p>Windows lets you create a folder that points to another folder. The operating system follows that pointer as if the destination is real. Most applications and scanners follow junctions transparently unless they explicitly check for reparse points, which most do not. The feature has been built in for decades and has a perfectly legitimate purpose: backward compatibility, keeping old software happy when file locations change. The Windows name for it is an <strong>NTFS junction</strong>. The part that matters for this attack: any standard user account can create one. No admin rights needed. Write access to a folder is enough, and most users already have that in their own profile and in shared directories.</p>MSBuild LOLBin: How Hackers Run Malware on Windows Without Leaving a Tracehttps://hackingpassion.com/msbuild-lolbin-fileless-attack/Tue, 14 Apr 2026 12:06:26 +0200https://hackingpassion.com/msbuild-lolbin-fileless-attack/<p><strong>MSBuild.exe</strong> is a <strong>LOLBin</strong>, a legitimate Windows tool being abused to run malware on fully patched machines without dropping a single file on disk, and Windows Defender does not raise an alert because MSBuild.exe carries Microsoft&rsquo;s own digital signature and many security tools treat it as trusted by default. There is no patch coming because nothing here is broken. MSBuild.exe is doing exactly what Microsoft designed it to do. 😏</p> <p><code>MSBuild.exe</code>, the Microsoft Build Engine, has been part of the .NET Framework and Visual Studio for years. Software developers use it to compile and build applications from XML-based project files. Because Microsoft built it and signed it, Windows trusts it completely. AppLocker trusts it. Windows Defender Application Control trusts it. Most endpoint security solutions wave it through without a second look, because as far as they are concerned, it is a legitimate Microsoft tool doing its job.</p>