search

Bypassing Defender with Exclusion List

hashtag
Objective

Add your malware to Defender's exclusion list. So it wont be scanned in the feature.

hashtag
Requirements

This action requires administrator privileges. And also you should be able to use powershell.

hashtag
Idea

Infiltrate into computer physically and/or send a dropper which is able to elavate its privileges then drop the real malware.

hashtag
Scenario / Action

  • Send a dropper via spear pishing.

  • Elevate privileges via UAC bypass or other exploits.

  • Create a folder in the victims computer.

  • Add created folder into Windows Defender's exclusion list.

  • Drop real malware into created folder.

  • Execute the malware.

Powershell Command

 Add-MpPreference -ExclusionPath "Path of folder or file"
Windows Defenders Exclusion List

hashtag
References

  1. Microsoft, Add-MpPreference, https://docs.microsoft.com/en-us/powershell/module/defender/add-mppreference?view=windowsserver2019-psarrow-up-right

PreviousBypassing AVs with simple XORNext[TR] Centreon 19.10.8 Remote Code Execution

Last updated