Black Hat USA 2023 was busy for SafeBreach researchers Tomer Bar and Omer Attias, who spent lots of stage time outlining how attacks are conducted, which APT groups have been most active, and how breach and attack simulation can help security teams think like the enemy and fight back. 

Of particular interest was their presentation on how Windows Defender can be hijacked to ignore malware, falsely recognize benign files as malicious and even delete critical system files to render a machine inoperable. 

The Israeli researchers introduced an automated tool called Defender Pretender that can replicate these attacks if the version of the Microsoft Malware Protection Platform is earlier than 4.18.2303.8. The tool can be found at  

Microsoft catalogued the attack method as CVE-2023-24934 and patched the vulnerability in April. 

"The lesson is trust no one, even Microsoft's own processes,” Bar says. “Digitally signed files are not always secure, and the signature update process of security programs could be used as an attack vector." 

Bar and Attias' Black Hat presentation slides can be viewed at

Inspired by the Flame state-sponsored malware of 2012, Bar and Attias wondered if they too could leverage the Windows Defender virus-signature update process to subvert a Windows system. But while Flame used a cryptographic collision to spoof a Microsoft digital signature, Bar and Attias raised the bar higher (or maybe lower) and set out to subvert Defender as an unprivileged user without special access or signatures. 

To cap off their demos, they redefined the Emotet signature so that Defender would detect and remove Windows system files. Defender isn't supposed to run under DOS, but the researchers figured out a way, then showed how a command-line screen rapidly removed essential system files, after which the virtual machine tried and failed to reboot. 

After Black Hat, Bar sat down with Security Weekly host Jeff Man to discuss their Defender findings and how, in the bigger picture, the SafeBreach Labs team helps customers discover their most critical threats and security gaps by building the industry’s most current and complete playbook of attacks.  

This segment is sponsored by SafeBreach. Visit to learn more about them. 

Show Notes:  

  • 00:00 - Introduction to breach and attack simulation 
  • 01:12 - SafeBreach's Breach and Attack Simulation platform 
  • 02:18 - Real-time testing to identify drifts and vulnerabilities 
  • 03:30 - Realistic simulations to mimic actual threats and attack techniques  
  • 04:45 - SafeBreach's research and vendor collaboration  
  • 06:02 - Customized attacks for comprehensive testing of customer environments  
  • 07:15 - Advantages for larger enterprises: expertise and simulation benefits  
  • 08:28 - Identifying vulnerabilities, misconfigurations and process failures  
  • 09:42 - Prioritizing and closing security gaps