Bruteforcing Windows Defender Exclusions
ฝัง
- เผยแพร่เมื่อ 11 ต.ค. 2024
- jh.live/soc || Join me for the SOC Analyst Appreciation Day! A completely FREE event on October 16th by DEVO! jh.live/soc
Article: blog.fndsec.ne...
Learn Cybersecurity with Just Hacking Training: justhacking.com
Learn Coding: jh.live/codecr...
Don't listen to other "influencer" VPN crap -- host YOUR OWN: jh.live/openvpn
WATCH MORE:
Dark Web & Cybercrime Investigations: • Tracking Cybercrime on...
Malware & Hacker Tradecraft: • Malware Analysis & Thr...
📧JOIN MY NEWSLETTER ➡ jh.live/email
🙏SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/discord ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
🔥TH-cam ALGORITHM ➡ Like, Comment, & Subscribe!
Thanks John. I like the more technical angle of your videos and not simplifying too much, helps a lot for those of us in the grey zone.
It's an executable, it has to be calling some set of system calls to get this information (especially if PowerShell has embedded access). I imagine we can create something with a lot less overheard than rerunning the MpCmdRun each time.
you are a PowerShell / cmd mega chad, looks like a guy who code on linux only with keyboard but for windows
easy anti cheat has some human readable strings that might be interesting
I just tested this and it does indeed work and MDE does not flag anything up. That is not good. Is there a CVE for this ?
Please more blue team (defender) Videos...
Always great content, taking this further using a tool like binfinder from kudaes we can also find processes that are internally excluded by an edr
Like SYSTEM level svchost processes and crowdstrike 😉
Ty
You can open elevated Powershell window from non-elevated Terminal just by clicking the drop-down menu next to the plus-sign on the tab row and Ctrl+clicking the "Powershell" option.
i still needed admin privelages to do this (win11)
It might not show a uac on your end, but admin is still required, this is not a uac bypass
@@fatedsky6700 I wasn't saying this was an UAC bypass, just an alternate method to open elevated Powershell window instead of closing the original Terminal window and then opening the elevated one from the Start menu like shown on the video.
@@raimomanninen9579 oh alright, thanks for the clarification
I've heard there's also `sudo` now on windows 11
You are my best friend John 🧡🙏🤘🙌👌I appreciate that!!!
someone is definitely going to try to exploit this but i doubt it'll do damage, it'll probably be patched in a few hours
Good John❤
how many sigma rules do you need to write to cover off all conditions not detected by a typical edr 😕
This is where I hope threat hunting query libraries can continue to improve in vendor products. eg. 'run all hunting queries' and get a human and/or robot to look at it.
This is why I am in favor of exluding on-access scans, while leaving on-demand/scheduled ones not excluded. X>.>X
Pretty sure that you'd not get that feedback if it could properly be setup like that. (I've got bitdefender setup to exclude on-access, to several key folders to not slice my face off when I run IDEs for some projects, but leave on-demand intact because I don't code in that style that would trip the stuff.. I just hate the preformance hit.
12:40 task failed successfully? I guess...
Can you do a tutorial on how to make a windows 11 virtual machine I know how to make one but it's always having issues and urs look good
5:00
why are we bruteforcing windows defender exclusions?
As said, you would like to load your somewhat malicious files there.
Can someone explain how can this be useful? I'm a new student on this field.
Once the malware knows what directories are excluded it could just copy itself to that directory and avoid any anti-virus detection.
This is useful to avoid anti-virus detection when you are now executing the main malware from the loader/dropper.
Greetings from Africa
Great vid🔥
neat!
That's a nice trick
Nice! ❤
👀💪
👍
🙏💯
First
guys i need help...My laptop fell and got destroyed no money to get a new one...please help me😪