Microsoft
Bruteforcing Windows Defender Exclusions
|| Join me for the SOC Analyst Appreciation Day! A completely FREE event on October 16th by DEVO!
[ad_2]
source
|| Join me for the SOC Analyst Appreciation Day! A completely FREE event on October 16th by DEVO!
[ad_2]
source
Lorem ipsum dolor sit amet, consectetur.
I swear I'll unsubscribe if I get an ad during the ad again
how long did it take you to know/remember all these windows commands?
Seems a bit pointless if all these are logged (as you said) to Event Viewer. Running a PowerShell command to pull that Event ID with some filtering is likely more stealthy (and accurate) than just generating a process over and over.
"The exclusions do not bypass security mechanisms; they simply exclude the specified items from static scanning."
That was amazing!!
someone is definitely going to try to exploit this but i doubt it'll do damage, it'll probably be patched in a few hours
16:12 wow what a good tip thanks. So I guess we just wont use any ERP or SQL software…. in a perfect world you are correct but this is why ops dont like sec people…
Can you do a tutorial on how to make a windows 11 virtual machine I know how to make one but it's always having issues and urs look good
Ty
Good John❤
you are a PowerShell / cmd mega chad, looks like a guy who code on linux only with keyboard but for windows
guys i need help…My laptop fell and got destroyed no money to get a new one…please help me😪
5:00
Hey John, here is another way to do it..Use this in CMD. powershell -EP Bypass "$e=@(gci 'C:' -dir -r -ea 0|select -exp FullName);$b=@();foreach($p in $e){$b+=$p;if($b.Count -eq 200 -or $p -eq $e[-1]){$r=& 'C:Program FilesWindows DefenderMpCmdRun.exe' -Scan -ScanType 3 -File ($b -join '|') 2>&1;$b|?{$r-match [regex]::Escape($_)}|%{write-host ('Exclusion:'+$_)};$b=@()}}"
Love what you do brother! It's alot faster, and you can make it review files & folders. Just adjust as needed. No elevation required.. 🎉
Please more blue team (defender) Videos…
👀💪
why are we bruteforcing windows defender exclusions?
Always great content, taking this further using a tool like binfinder from kudaes we can also find processes that are internally excluded by an edr
Like SYSTEM level svchost processes and crowdstrike 😉
You are my best friend John 🧡🙏🤘🙌👌I appreciate that!!!
It's an executable, it has to be calling some set of system calls to get this information (especially if PowerShell has embedded access). I imagine we can create something with a lot less overheard than rerunning the MpCmdRun each time.
Pretty sure you could do what their code does with LoL using for in batch syntax and/or dir / S with some pipes and a find to only return output where things are skipped. I leave that as an exercise for the reader – but i think that would be better than relying on custom code that has be a file instead of executed in memory with all LoL code.
👍
easy anti cheat has some human readable strings that might be interesting
Thanks John. I like the more technical angle of your videos and not simplifying too much, helps a lot for those of us in the grey zone.
you don't even need Administrator level fodhelper.exe can run powershell script with high priv and add Exclsuion To C: drive game over 🤐
This is why I am in favor of exluding on-access scans, while leaving on-demand/scheduled ones not excluded. X>.>X
Pretty sure that you'd not get that feedback if it could properly be setup like that. (I've got bitdefender setup to exclude on-access, to several key folders to not slice my face off when I run IDEs for some projects, but leave on-demand intact because I don't code in that style that would trip the stuff.. I just hate the preformance hit.
12:40 task failed successfully? I guess…
You can open elevated Powershell window from non-elevated Terminal just by clicking the drop-down menu next to the plus-sign on the tab row and Ctrl+clicking the "Powershell" option.
I just tested this and it does indeed work and MDE does not flag anything up. That is not good. Is there a CVE for this ?
Can someone explain how can this be useful? I'm a new student on this field.
That's a nice trick
Please please please for the love of all that's holly, stop doing the shitty stupid thumbnail faces. You're a big stable channel, with strong content and a very good viewer base, you don't have to do what others do. You don't have to "play for the algorithm". Just please, stop that…
A good informative thumbnail with a good informative title is very much ENOUGH!
Greetings from Africa
how many sigma rules do you need to write to cover off all conditions not detected by a typical edr 😕
This is where I hope threat hunting query libraries can continue to improve in vendor products. eg. 'run all hunting queries' and get a human and/or robot to look at it.
neat!
Great vid🔥
Nice! ❤
🙏💯