Find Folder Exclusions

Folder Exclusion - Bypass AV

Peeking Behind the Curtain: Finding Defender’s ExclusionsSecurity Friends' Research Blog

"C:\Program Files\Windows Defender\MpCmdRun.exe -Scan -ScanType 3 -File "C:\pathe\to\folder\*""

& "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\path\to\folder\|*"

Tool designed to find folder exclusions

GitHub - Friends-Security/SharpExclusionFinder: Tool designed to find folder exclusions using Windows Defender using command line utility MpCmdRun.exe as a low privileged user, without relying on event logsGitHub

In powershell

$logName = "Microsoft-Windows-Windows Defender/Operational"
$eventID = 5007

$events = Get-WinEvent -LogName $logName | Where-Object { $_.Id -eq $eventID }

$exclusionEvents = $events | Where-Object { $_.Message -match "Exclusions" }

$pattern = "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths\\[^\s]+"

$exclusionEvents | ForEach-Object {
    if ($_.Message -match $pattern) {
        $matches[0]
    }
}

Ref: https://x.com/miltinh0c/status/1844374550873768434?t=LtuDBOsnwRGKQ1oLH__0Dw&s=03

ScriptHostTest

notes/utilities/ScriptHostTest at master · MHaggis/notesGitHub

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

Evading EDR: The Definitive Guide to Defeating Endpoint Detection Systems The author uses his years of experience as a red team operator to investigate each of the most common sensor components, discussing their purpose, explaining their implementation, and showing the ways they collect various data points from the Microsoft operating system. In addition to covering the theory behind designing an effective EDR, each chapter also reveals documented evasion strategies for bypassing EDRs that red teamers can use in their engagements.

PreviousBypass AV Payload / Shells NextResources

Last updated 1 month ago