Search: [defender] - Shared Bookmarks

Links per page: 20 50 100

3 results tagged defender x

Abusing Exclusions To Evade Detection | Dazzy Ddos

function Get-DefenderExclusions {
    param (
        [string]$logName = "Microsoft-Windows-Windows Defender/Operational",
        [int]$eventID = 5007,
        [switch]$Path,
        [switch]$Process,
        [switch]$Extension
    )

    if (-not ($Path -or $Process -or $Extension)) {
        Write-Host "Please specify at least one type of exclusion to filter: -Path, -Process, -Extension."
        return
    }

    # Get all event logs with the specified Event ID
    $events = Get-WinEvent -LogName $logName -FilterXPath "*[System[(EventID=$eventID)]]" -ErrorAction SilentlyContinue

    if (-not $events) {
        Write-Host "No events found with Event ID $eventID in the $logName log."
        return
    }

    # Define the regex patterns for exclusion paths, extensions, and processes
    $patterns = @{
        Path = "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths\\([^`"]+)"
        Extension = "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Extensions\\([^`"]+)"
        Process = "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Processes\\([^`"]+)"
    }

    # Function to parse and return unique exclusions
    function Get-UniqueExclusions {
        param (
            [string]$pattern,
            [string]$exclusionType
        )

        $uniqueExclusions = @{}
        foreach ($event in $events) {
            $message = $event.Message
            if ($message -match $pattern) {
                $exclusionDetail = $matches[1] -replace ' = 0x0.*$', '' -replace 'New value:', '' -replace '^\s+|\s+$', ''
                if (-not $uniqueExclusions.ContainsKey($exclusionDetail) -or $event.TimeCreated -gt $uniqueExclusions[$exclusionDetail]) {
                    $uniqueExclusions[$exclusionDetail] = $event.TimeCreated
                }
            }
        }
        return $uniqueExclusions.GetEnumerator() | Sort-Object Value -Descending | ForEach-Object {
            [PSCustomObject]@{
                ExclusionDetail = $_.Key
                TimeCreated = $_.Value
            }
        }
    }

    # Extract and display exclusions based on the provided arguments
    if ($Path) {
        Write-Host "Path Exclusions:"
        Get-UniqueExclusions -pattern $patterns.Path -exclusionType 'Path' | Format-Table -Property ExclusionDetail, TimeCreated -AutoSize -Wrap
    }
    if ($Process) {
        Write-Host "Process Exclusions:"
        Get-UniqueExclusions -pattern $patterns.Process -exclusionType 'Process' | Format-Table -Property ExclusionDetail, TimeCreated -AutoSize -Wrap
    }
    if ($Extension) {
        Write-Host "Extension Exclusions:"
        Get-UniqueExclusions -pattern $patterns.Extension -exclusionType 'Extension' | Format-Table -Property ExclusionDetail, TimeCreated -AutoSize -Wrap
    }
}

# Example usage:
# Get-DefenderExclusions -Path -Process -Extension
# Get-DefenderExclusions -Process

August 12, 2025 at 12:45:27 PM UTC * - permalink -

- https://dazzyddos.github.io/posts/Abusing_Exclusions_To_Evade_Detection/

powershell defender evasion evade

Cobalt Strike, a Defender's Guide
November 3, 2021 at 10:19:59 AM UTC - permalink -

- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/

cobalt strike cs defenser guide defender
matterpreter/DefenderCheck: Identifies the bytes that Microsoft Defender flags on.
July 24, 2020 at 8:11:18 AM UTC - permalink -

- https://github.com/matterpreter/DefenderCheck

windows defender evasion flag signature payload

Links per page: 20 50 100