Bypassing Defender with Exclusion List

Objective

Add your malware to Defender's exclusion list. So it wont be scanned in the feature.

Requirements

This action requires administrator privileges. And also you should be able to use powershell.

Idea

Infiltrate into computer physically and/or send a dropper which is able to elavate its privileges then drop the real malware.

Scenario / Action

  • Send a dropper via spear pishing.

  • Elevate privileges via UAC bypass or other exploits.

  • Create a folder in the victims computer.

  • Add created folder into Windows Defender's exclusion list.

  • Drop real malware into created folder.

  • Execute the malware.

Powershell Command

 Add-MpPreference -ExclusionPath "Path of folder or file"
Windows Defenders Exclusion List

References

  1. Microsoft, Add-MpPreference, https://docs.microsoft.com/en-us/powershell/module/defender/add-mppreference?view=windowsserver2019-ps

PreviousBypassing AVs with simple XORNext[TR] Centreon 19.10.8 Remote Code Execution

Last updated

Was this helpful?