Search: [evasion] - Shared Bookmarks

Links per page: 20 50 100

15 results tagged evasion x

Abusing Exclusions To Evade Detection | Dazzy Ddos

function Get-DefenderExclusions {
    param (
        [string]$logName = "Microsoft-Windows-Windows Defender/Operational",
        [int]$eventID = 5007,
        [switch]$Path,
        [switch]$Process,
        [switch]$Extension
    )

    if (-not ($Path -or $Process -or $Extension)) {
        Write-Host "Please specify at least one type of exclusion to filter: -Path, -Process, -Extension."
        return
    }

    # Get all event logs with the specified Event ID
    $events = Get-WinEvent -LogName $logName -FilterXPath "*[System[(EventID=$eventID)]]" -ErrorAction SilentlyContinue

    if (-not $events) {
        Write-Host "No events found with Event ID $eventID in the $logName log."
        return
    }

    # Define the regex patterns for exclusion paths, extensions, and processes
    $patterns = @{
        Path = "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths\\([^`"]+)"
        Extension = "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Extensions\\([^`"]+)"
        Process = "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Processes\\([^`"]+)"
    }

    # Function to parse and return unique exclusions
    function Get-UniqueExclusions {
        param (
            [string]$pattern,
            [string]$exclusionType
        )

        $uniqueExclusions = @{}
        foreach ($event in $events) {
            $message = $event.Message
            if ($message -match $pattern) {
                $exclusionDetail = $matches[1] -replace ' = 0x0.*$', '' -replace 'New value:', '' -replace '^\s+|\s+$', ''
                if (-not $uniqueExclusions.ContainsKey($exclusionDetail) -or $event.TimeCreated -gt $uniqueExclusions[$exclusionDetail]) {
                    $uniqueExclusions[$exclusionDetail] = $event.TimeCreated
                }
            }
        }
        return $uniqueExclusions.GetEnumerator() | Sort-Object Value -Descending | ForEach-Object {
            [PSCustomObject]@{
                ExclusionDetail = $_.Key
                TimeCreated = $_.Value
            }
        }
    }

    # Extract and display exclusions based on the provided arguments
    if ($Path) {
        Write-Host "Path Exclusions:"
        Get-UniqueExclusions -pattern $patterns.Path -exclusionType 'Path' | Format-Table -Property ExclusionDetail, TimeCreated -AutoSize -Wrap
    }
    if ($Process) {
        Write-Host "Process Exclusions:"
        Get-UniqueExclusions -pattern $patterns.Process -exclusionType 'Process' | Format-Table -Property ExclusionDetail, TimeCreated -AutoSize -Wrap
    }
    if ($Extension) {
        Write-Host "Extension Exclusions:"
        Get-UniqueExclusions -pattern $patterns.Extension -exclusionType 'Extension' | Format-Table -Property ExclusionDetail, TimeCreated -AutoSize -Wrap
    }
}

# Example usage:
# Get-DefenderExclusions -Path -Process -Extension
# Get-DefenderExclusions -Process

August 12, 2025 at 12:45:27 PM UTC * - permalink -

- https://dazzyddos.github.io/posts/Abusing_Exclusions_To_Evade_Detection/

powershell defender evasion evade

med0x2e/SigFlip: SigFlip is a tool for patching authenticode signed PE files (exe, dll, sys ..etc) without invalidating or breaking the existing signature.
October 26, 2022 at 3:09:17 PM UTC - permalink -

- https://github.com/med0x2e/SigFlip

av signature evasion edr
Antivirus evasion by user mode unhooking on Windows 10 - report.pdf
February 7, 2022 at 9:18:11 PM UTC - permalink -

- https://cdn.discordapp.com/attachments/633989923459956776/940267352157741076/report.pdf

av evasion bypass unhooking
Evasion techniques
October 18, 2021 at 10:46:32 AM UTC - permalink -

- https://evasions.checkpoint.com/

evasion checkpoint bypass
Introducing Process Hiving & RunPE - Nettitude Labs
September 6, 2021 at 9:44:43 AM UTC - permalink -

- https://labs.nettitude.com/blog/introducing-process-hiving-runpe/

process hiving edr evasion bypass
Blinding EDR On Windows - Red Team Blog
September 6, 2021 at 9:44:26 AM UTC - permalink -

- https://synzack.github.io/Blinding-EDR-On-Windows/

edr evasion bypass windows
Defense Evasion Series Part 1 AMSI Bypass | Dazzy Ddos
September 6, 2021 at 9:44:06 AM UTC - permalink -

- https://dazzyddos.github.io/posts/AMSI-Bypass/

evasion defense amsi bypass windows
moohax/Proof-Pudding: Copy cat model for Proofpoint
November 24, 2020 at 11:27:06 AM UTC - permalink -

- https://github.com/moohax/Proof-Pudding

proofpoint evasion av bypass proof phishing email
Process Herpaderping | herpaderping
October 28, 2020 at 4:10:40 PM UTC - permalink -

- https://jxy-s.github.io/herpaderping/

bypass signature kernel process herpaderping windows evasion edr av
matterpreter/DefenderCheck: Identifies the bytes that Microsoft Defender flags on.
July 24, 2020 at 8:11:18 AM UTC - permalink -

- https://github.com/matterpreter/DefenderCheck

windows defender evasion flag signature payload
batman / DarkArmour · GitLab
May 29, 2020 at 8:38:01 AM UTC - permalink -

- https://git.dylan.codes/batman/darkarmour

bypass av evasion darkarmour inmemory
Bypassing AV via in-memory PE execution
May 29, 2020 at 8:37:37 AM UTC - permalink -

- https://blog.dylan.codes/bypassing-av-via/

bypass av evasion darkarmour
Embedding EXE files into PowerShell scripts |
May 25, 2020 at 8:24:03 PM UTC - permalink -

- https://truesecdev.wordpress.com/2016/03/15/embedding-exe-files-into-powershell-scripts/

powershell obfuscation binary av bypass evasion
GitHub - Mr-Un1k0d3r/DKMC: DKMC - Dont kill my cat - Malicious payload evasion tool
April 15, 2020 at 2:40:14 PM UTC - permalink -

- https://github.com/Mr-Un1k0d3r/DKMC

payload evasion payloads tool macro phishing obfuscation
How to evade Web Application Firewall and IPS using NMAP | Fzuckerman©
February 5, 2019 at 2:50:50 PM UTC - permalink -

- https://fzuckerman.wordpress.com/2016/10/03/how-to-evade-web-application-firewall-and-ips-using-nmap/

nmap evasion ids ips waf hacking pentest

Links per page: 20 50 100