Defender Module for PowerShell

PS C:\> Get-Command -Module Defender

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        Add-MpPreference                                   1.0        Defender
Function        Get-MpComputerStatus                               1.0        Defender
Function        Get-MpPreference                                   1.0        Defender
Function        Get-MpThreat                                       1.0        Defender
Function        Get-MpThreatCatalog                                1.0        Defender
Function        Get-MpThreatDetection                              1.0        Defender
Function        Remove-MpPreference                                1.0        Defender
Function        Remove-MpThreat                                    1.0        Defender
Function        Set-MpPreference                                   1.0        Defender
Function        Start-MpScan                                       1.0        Defender
Function        Start-MpWDOScan                                    1.0        Defender
Function        Update-MpSignature                                 1.0        Defender

Status:

PS C:\> Get-MpComputerStatus

<SNIP>
AntivirusSignatureLastUpdated    : 4/8/2024 3:02:58 PM
<SNIP>
IsTamperProtected                : False
IsVirtualMachine                 : True
<SNIP>
RealTimeProtectionEnabled        : True

Get-MpThreat can be used to view the history of threats detected on the computer

PS C:\> Get-MpThreat

CategoryID       : 6
DidThreatExecute : False
IsActive         : False
Resources        :
RollupStatus     : 1
SchemaVersion    : 1.0.0.0
SeverityID       : 5
ThreatID         : 2147894794
ThreatName       : Backdoor:Win64/CobaltStrike!pz
TypeID           : 0
PSComputerName   :

<SNIP>

Get-MpThreatDetection: allows users to view the threat detection history on a computer. We could specify the ThreatID as an additonal parameter

PS C:\> Get-MpThreatDetection -ThreatID 2147894794

ActionSuccess                  : True
AdditionalActionsBitMask       : 0
AMProductVersion               : 4.18.24020.7
CleaningActionID               : 2
CurrentThreatExecutionStatusID : 1
DetectionID                    : {BD0541EE-FDE0-4001-9BEF-13CEA41FC7DE}
DetectionSourceTypeID          : 3
DomainUser                     : WIN-I092S2V54F8\Administrator
InitialDetectionTime           : 4/9/2024 9:38:39 AM
LastThreatStatusChangeTime     : 4/9/2024 9:38:55 AM
ProcessName                    : C:\Windows\explorer.exe
RemediationTime                : 4/9/2024 9:38:55 AM
Resources                      : {file:_C:\artifact_x64.exe}
ThreatID                       : 2147894794
ThreatStatusErrorCode          : 0
ThreatStatusID                 : 3
PSComputerName

Get-MpPreference and Set-MpPreference may be used to configure Defender - enable/disable real-time protection to avoid files getting deleted

PS C:\> Set-MpPreference -DisableRealTimeMonitoring $true

Disable / Remove AV Defender and Firewall

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

Evading EDR: The Definitive Guide to Defeating Endpoint Detection Systems The author uses his years of experience as a red team operator to investigate each of the most common sensor components, discussing their purpose, explaining their implementation, and showing the ways they collect various data points from the Microsoft operating system. In addition to covering the theory behind designing an effective EDR, each chapter also reveals documented evasion strategies for bypassing EDRs that red teamers can use in their engagements.

PreviousMindmap NextStatic Analysis

Last updated 1 month ago