maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'update_Break_The_Protective_Shell_Of_Windows_Defender_Wit_20250918_123628' of github.com:HackTricks-wiki/hacktricks into update_Break_The_Protective_Shell_Of_Windows_Defender_Wit_20250918_123628

Browse Source
This commit is contained in:
carlospolop 2025-09-29 14:58:15 +02:00
commit e606e46159
1 changed files with 2 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/windows-hardening/av-bypass.md
View File

@ -972,18 +972,8 @@ Post-exploitation options
rmdir "C:\ProgramData\Microsoft\Windows Defender\Platform\5.18.25070.5-0"
```
Detection ideas
- Alert on new directory reparse points under `C:\ProgramData\Microsoft\Windows Defender\Platform\`.
- Watch for new version-looking folder names exceeding known Defender versions.
- Detect Defender binaries executing from non-standard paths (e.g., `C:\TMP\`).
- Sysmon telemetry: FileCreate (Event ID 11) with ReparsePoint/Symlink in that path; process starts for `MsMpEng.exe` with unexpected image path.
Hardening tips
- Enforce allow-listed execution paths with WDAC/AppLocker; prohibit Defender from running outside trusted directories.
- Continuously validate Defenders configured platform path; remediate anomalies.
- Keep Tamper Protection enabled; monitor for Defender platform location changes.
> Note: This technique does not provide privilege escalation by itself; it requires admin rights.
> [!TIP]
> Note that This technique does not provide privilege escalation by itself; it requires admin rights.
## References