It's an executable, it has to be calling some set of system calls to get this information (especially if PowerShell has embedded access). I imagine we can create something with a lot less overheard than rerunning the MpCmdRun each time.
Seems a bit pointless if all these are logged (as you said) to Event Viewer. Running a PowerShell command to pull that Event ID with some filtering is likely more stealthy (and accurate) than just generating a process over and over.
You can open elevated Powershell window from non-elevated Terminal just by clicking the drop-down menu next to the plus-sign on the tab row and Ctrl+clicking the "Powershell" option.
@@fatedsky6700 I wasn't saying this was an UAC bypass, just an alternate method to open elevated Powershell window instead of closing the original Terminal window and then opening the elevated one from the Start menu like shown on the video.
Thanks for the video on Defender Exclusions! We built a script to check for rogue or unneeded exclusions in Widows Defender after watching. One thing we found: McAfee Antivirus leave its exclusion in place after it's been uninstalled. How big a deal do you think these being left behind is? "c:\program files\mcafee'c:\program files\common files\mcafee'c:\program files (x86)\mcafee'c:\program files (x86)\common files\mcafee'C:\DELL\FD09N'c:\programdata\mcafee"
Always great content, taking this further using a tool like binfinder from kudaes we can also find processes that are internally excluded by an edr Like SYSTEM level svchost processes and crowdstrike 😉
how many sigma rules do you need to write to cover off all conditions not detected by a typical edr 😕 This is where I hope threat hunting query libraries can continue to improve in vendor products. eg. 'run all hunting queries' and get a human and/or robot to look at it.
This is why I am in favor of exluding on-access scans, while leaving on-demand/scheduled ones not excluded. X>.>X Pretty sure that you'd not get that feedback if it could properly be setup like that. (I've got bitdefender setup to exclude on-access, to several key folders to not slice my face off when I run IDEs for some projects, but leave on-demand intact because I don't code in that style that would trip the stuff.. I just hate the preformance hit.
Thanks John. I like the more technical angle of your videos and not simplifying too much, helps a lot for those of us in the grey zone.
0:37 0:38 ❤
I just tested this and it does indeed work and MDE does not flag anything up. That is not good. Is there a CVE for this ?
It's an executable, it has to be calling some set of system calls to get this information (especially if PowerShell has embedded access). I imagine we can create something with a lot less overheard than rerunning the MpCmdRun each time.
Seems a bit pointless if all these are logged (as you said) to Event Viewer. Running a PowerShell command to pull that Event ID with some filtering is likely more stealthy (and accurate) than just generating a process over and over.
grate vid - you showed a way to detect the defnder cli abuse to but is there a way to avoid the defender log being readable by every user
easy anti cheat has some human readable strings that might be interesting
You can open elevated Powershell window from non-elevated Terminal just by clicking the drop-down menu next to the plus-sign on the tab row and Ctrl+clicking the "Powershell" option.
i still needed admin privelages to do this (win11)
It might not show a uac on your end, but admin is still required, this is not a uac bypass
@@fatedsky6700 I wasn't saying this was an UAC bypass, just an alternate method to open elevated Powershell window instead of closing the original Terminal window and then opening the elevated one from the Start menu like shown on the video.
@@raimomanninen9579 oh alright, thanks for the clarification
I've heard there's also `sudo` now on windows 11
"The exclusions do not bypass security mechanisms; they simply exclude the specified items from static scanning."
Thanks for the video on Defender Exclusions! We built a script to check for rogue or unneeded exclusions in Widows Defender after watching. One thing we found: McAfee Antivirus leave its exclusion in place after it's been uninstalled. How big a deal do you think these being left behind is? "c:\program files\mcafee'c:\program files\common files\mcafee'c:\program files (x86)\mcafee'c:\program files (x86)\common files\mcafee'C:\DELL\FD09N'c:\programdata\mcafee"
Always great content, taking this further using a tool like binfinder from kudaes we can also find processes that are internally excluded by an edr
Like SYSTEM level svchost processes and crowdstrike 😉
You are my best friend John 🧡🙏🤘🙌👌I appreciate that!!!
how long did it take you to know/remember all these windows commands?
how many sigma rules do you need to write to cover off all conditions not detected by a typical edr 😕
This is where I hope threat hunting query libraries can continue to improve in vendor products. eg. 'run all hunting queries' and get a human and/or robot to look at it.
That was amazing!!
why are we bruteforcing windows defender exclusions?
As said, you would like to load your somewhat malicious files there.
Good John❤
Can you do a tutorial on how to make a windows 11 virtual machine I know how to make one but it's always having issues and urs look good
This is why I am in favor of exluding on-access scans, while leaving on-demand/scheduled ones not excluded. X>.>X
Pretty sure that you'd not get that feedback if it could properly be setup like that. (I've got bitdefender setup to exclude on-access, to several key folders to not slice my face off when I run IDEs for some projects, but leave on-demand intact because I don't code in that style that would trip the stuff.. I just hate the preformance hit.
I swear I'll unsubscribe if I get an ad during the ad again
Please more blue team (defender) Videos...
someone is definitely going to try to exploit this but i doubt it'll do damage, it'll probably be patched in a few hours
Ty
Can someone explain how can this be useful? I'm a new student on this field.
Once the malware knows what directories are excluded it could just copy itself to that directory and avoid any anti-virus detection.
This is useful to avoid anti-virus detection when you are now executing the main malware from the loader/dropper.
Great vid🔥
Greetings from Africa
you are a PowerShell / cmd mega chad, looks like a guy who code on linux only with keyboard but for windows
That's a nice trick
neat!
Nice! ❤
5:00
12:40 task failed successfully? I guess...
👀💪
👍
🙏💯
😂😂😂😂😂😂😂😂😂❤😅😅😅ههههههههه
First
guys i need help...My laptop fell and got destroyed no money to get a new one...please help me😪
Skill issue