You don't even need that. AV does not know what "malware" is. It only knows heuristics from known bad ware. If I make a program in visual studio that does some bad stuff, and give it to you, defender won't do a thing about it because it's doing the same stuff good ware could also be doing.

This is why AV's are low on the list of security. Prevention is far better than detection.

Does that also apply to things like Symantec Endpoint Protection, which has many additional modules like SONAR - is that mostly marketing and loud yelling?

Most endpoint protection systems typically use a combination of looking at known hashes or bad things and active process monitoring to identify new bad things. They're not perfect, and have varying levels of success. It is better than nothing.

I can't speak to Symantec, but I've worked for companies that provide endpoint protection and watched a live demo of novel "malware" getting caught escalating privileges.

That's why cloud delivered detection is good as well edrs including defender atp and others.

I "attack simulated" as many ways as I could, disabling defender. If anything on our environment so much as changes a registry key, service or adds an exclusion we get alerts for it, no need for cloud delivered protection/atp to take its time analyzing behavior.

OPs writeup is great but it has nothing to do with behavioral analysis.

It doesn't even matter what bypass you found. I spent so much time defeating defender at one point, as soon as my payload breaks opsec on a cloud delivered box (e.g.:run "whoami") in about a day defender starts catching it.

I can almost guarantee this bypass can only last as long as attackers use it stealthily. Enough automatic detections will get human eyes on it.

If you are administrator, you can create and launch new scheduled tasks ... as NT\SYSTEM from that you can ... anything. Get TCB privilege, get Trusted Installer account, install kernel level drivers ... god mode.