Defender Module for PowerShell
PS C:\> Get-Command -Module Defender
CommandType Name Version Source
----------- ---- ------- ------
Function Add-MpPreference 1.0 Defender
Function Get-MpComputerStatus 1.0 Defender
Function Get-MpPreference 1.0 Defender
Function Get-MpThreat 1.0 Defender
Function Get-MpThreatCatalog 1.0 Defender
Function Get-MpThreatDetection 1.0 Defender
Function Remove-MpPreference 1.0 Defender
Function Remove-MpThreat 1.0 Defender
Function Set-MpPreference 1.0 Defender
Function Start-MpScan 1.0 Defender
Function Start-MpWDOScan 1.0 Defender
Function Update-MpSignature 1.0 Defender
Status:
PS C:\> Get-MpComputerStatus
<SNIP>
AntivirusSignatureLastUpdated : 4/8/2024 3:02:58 PM
<SNIP>
IsTamperProtected : False
IsVirtualMachine : True
<SNIP>
RealTimeProtectionEnabled : True
Get-MpThreat can be used to view the history of threats detected on the computer
PS C:\> Get-MpThreat
CategoryID : 6
DidThreatExecute : False
IsActive : False
Resources :
RollupStatus : 1
SchemaVersion : 1.0.0.0
SeverityID : 5
ThreatID : 2147894794
ThreatName : Backdoor:Win64/CobaltStrike!pz
TypeID : 0
PSComputerName :
<SNIP>
Get-MpThreatDetection: allows users to view the threat detection history on a computer. We could specify the ThreatID
as an additonal parameter
PS C:\> Get-MpThreatDetection -ThreatID 2147894794
ActionSuccess : True
AdditionalActionsBitMask : 0
AMProductVersion : 4.18.24020.7
CleaningActionID : 2
CurrentThreatExecutionStatusID : 1
DetectionID : {BD0541EE-FDE0-4001-9BEF-13CEA41FC7DE}
DetectionSourceTypeID : 3
DomainUser : WIN-I092S2V54F8\Administrator
InitialDetectionTime : 4/9/2024 9:38:39 AM
LastThreatStatusChangeTime : 4/9/2024 9:38:55 AM
ProcessName : C:\Windows\explorer.exe
RemediationTime : 4/9/2024 9:38:55 AM
Resources : {file:_C:\artifact_x64.exe}
ThreatID : 2147894794
ThreatStatusErrorCode : 0
ThreatStatusID : 3
PSComputerName
Get-MpPreference and Set-MpPreference may be used to configure Defender
- enable/disable real-time protection
to avoid files getting deleted
PS C:\> Set-MpPreference -DisableRealTimeMonitoring $true
Interesting Books
Interesting BooksEvading EDR: The Definitive Guide to Defeating Endpoint Detection Systems The author uses his years of experience as a red team operator to investigate each of the most common sensor components, discussing their purpose, explaining their implementation, and showing the ways they collect various data points from the Microsoft operating system. In addition to covering the theory behind designing an effective EDR, each chapter also reveals documented evasion strategies for bypassing EDRs that red teamers can use in their engagements.
Last updated