Bruteforcing Windows Defender Exclusions

John Hammond · Advanced ·🔐 Cybersecurity ·1y ago

Key Takeaways

The video demonstrates how to brute force Windows Defender exclusions using mpcmdrun.exe and other tools, and how to detect such attempts using Sigma rules and the Aurora agent.

Full Transcript

peing behind the curtain finding Windows Defender antivirus exclusions this is an article that I saw pop up on Twitter just a bit ago and I thought it was pretty neat and I wanted to share it with you Kudos and credit where credit is due this is put together by a group of security folks friends and security and they've got a little uh table of contents here I'm going to skip over the tldr because I'd like to Showcase it and let's get right into the introduction they say recently we raised an issue on X regarding how low privileged users can access exclusion path set in the Microsoft Defender antivirus Through the Windows event logs so if you're not familiar I've got a Windows 11 virtual machine set up so that we can follow along but look the antivirus exclusions things that come from malware what hackers thread actors adversaries or penetration testers might end up looking for are the small little spots on your file system where if there are any exclusion set antivirus engines won't scan them these are set in Windows Defender by default in the virus and threat prote settings if you move into the more settings for realtime protection Etc exclusions down at the bottom here will let you add or remove exclusions you will need administrator capability to do this so I'll click yes on that user account control popup but if I were to add an exclusion we can just add a folder for my current desktop right we'll go ahead and choose that c users and I am running as a local admin account but not always going to be in a high privilege and high integrity process so for the moment that user us name is called local admin but please take that with the grain of salt let's enter that now it is added but the thing is you wouldn't normally be able to see that in just a regular prompt a regular medium Integrity process let me open up Powershell right I'll open up the terminal and let's say I wanted to get MP preference and that will give me all of the details about our manage protection antivirus and everything here that will dump out all the stuff but if I wanted to drill down into that actually look for specific exclusion information I can tab through this exclusion extension exclusion IP address exclusion path exclusion process let's take a look at the exclusion paths to see if it would find that desktop entry that I added well you have to be an administrator to be able to view the exclusions right now I'm just running as a regular joeo account I would need to open this up with high privileges control shift enter when I open that process clicking yes on our user account control get MP preference exclusion path and now I could hit enter on that and you'd be able to see what I've just entered but you do need admin privileges to be able to do that what friends inse security is saying and they had some time ago is that look you could actually track this down in the Windows Event log and you don't need to be an admin to do that we could see that in action if I were to open up the Event Viewer we could go ahead and explore inside of the application and services logs that'll take a little bit to unfold it just takes a couple seconds to load whatever it needs to for all those records and resources there in the Microsoft folder drilling down into windows we could actually go take a look at Windows Defender in the operational log you'll have a ton of stuff and interestingly enough the event IDs 57 will show you some of the changes to your Microsoft Defender antivirus however this is for any change to Defender configuration so you could get a whole lot of inside in here like hey new value being set for an exclusion you can see that being modified in hklm theed registry key for the local machine again needs admin privileges to be able to read that registry key but the Event Viewer will still tell it for low privilege users but there's a lot of stuff in here like 57 could really just be any specific notification configuration change like here is a setting the product app path here is one changing how the service starts whether it's done running a scan oh that's a different event ID that's a,1 but anyway you get the gist 50007 is going to be a whole lot of stuff that could very will be anything and not strictly whether or not a folder or location is part of antivirus exclusions so that is one tidbit but this article showcases just a little bit more this was highlighted by security researcher hi vacnin I'm sorry I'm awful at names and they demonstrated these event logs will actually offer this insight to low privilege users so maybe malware maybe hackers could still go find those places those spots where they could use to deploy a payload or do whatever they might do for other nefarious reasons but they actually want to showcase a new method that allows users to determine exclusion paths without relying on the Windows Event Viewer and without those logs and without requiring admin privileges the gimmick here is that this uses mpcmdrun.exe the binary like the command line tool of Microsoft Defender and they put up a cool little utility to be able to automate that process but let's see how it's done they use mpcmdrun.exe to identify exclusions and by the way uh mpcmdrun is in your program files so back in our virtual machine what we could do is actually get into our terminal just as a low privilege user and if we wanted to we could go take a look at our environment variables for program files and they do have that directory here Windows Defender granted it does have to have a space in there so when I tab autocomplete it removes the environment variable which is annoying me because I like that flexibility but whatever uh mpcmdrun.exe is what we're looking for and of course that there if we wanted to invoke it in Powershell because it's a string we can do an ampersand prefix and that will give us all of the options for MP CMD run or Windows Defender running it as a binary here there's a lot of good stuff but you might have noticed just at the very very bottom there already is just one little flag switch an argument to say check exclusion based off of a path so I mean what's to stop us from just doing that try to check exclusion we'll specify path and then we can use just that one that we set C users local admin desktop and I run this it says uh oh failed with HR or H result the error code being hex 80070005 um well that's silly and stupid how about just like local admin same thing how about just like users same thing C col backlash same thing this is because we do not have access right I could actually change this to an entirely different Drive something like the D drive same again don't have access how about something like a z drive that is going to give me a not found that file or folder is not found as a location so the issue that we're seeing is again access denied as a low privilege user obviously running this with high integrity would probably work just fine let me try that just to validate terminal user account control full screen that paste in let's go to the desktop yep that tells me it is excluded when I'm running as the administrator but we want to have this capab as a low privilege user not the administrator so they describe that using this with the syntax running mpcmdrun with a scan and a scan type being three that refers to a custom scan including a file with whatever folder or path that you want to check ending with a vertical pipe and then an asterisk they've got a little bit of magic here and it's cutesy it says Hey the pipe is an invalid character in Windows folder names ensuring that the path specified is not a valid folder or file the asterisk asks the wild card as it usually does essentially telling Defender to look for any potential subfolders or files within the specified path if the folder is excluded the output will read scanning folder to check was skipped so let's get to see what command they use to help identify these Defender exclusions but before we do please let me tell you about another awesome event coming up and help celebrate the sponsor of today's video sock analyst Appreciation Day Security operation Center analysts are too often over worked in underappreciate they're doing the most impactful cyber security work but they're never in the Limelight so to help celebrate those sock analyst rockstones dvo is hosting the fourth annual sock analyst appreciation R it's all to pay some longdd kudos to our world sock analysts and to encourage organizations to improve their job satisfaction and mental well-being the online event is completely free and open to anyone and everyone live on October 16th it is Pack full with career focused sessions preventing burnout secrets to success day in the life details for analysts and researchers and so much more I'll even be speaking on the rapid response efforts during the connectwise screen connect exploitation I'd love to see you there if you are a security Operation Center analyst or you're fascinated by the work and you want to become one you should absolutely tune in to the sock analyst appreciation it's completely free and it's a day dedicated to celebrate you and your your great efforts sign up for the sock analyst Appreciation Day on October 16th with my link below in the video description jh. live slock huge thanks to dvo for sponsoring this video all right now let's see what friends in security is cooking up they have the syntax where they invoke mpcmdrun.exe with Tac scan to run a scan Tac scan type three three being a custom scan and then the file that they specify is whatever folder that you want to look any path or location but then ultimately including at the very end here a vertical pipe and then an asterisk in the explanation of the command below they note the pipe is an invalid character in Windows folder names oh so those are the characters that you are not allowed to name like a file or a folder with and it'll give you an error if you try to do that entering in a new folder or new text file whatever ensuring that the path specified is not a valid folder or file o that's a little bit clever the asterisk acts as a wild card essentially telling def Fender to look for any potential subfolders or files within that specified path if the folder ends up being excluded then the output will just simply read scanning that folder was skipped now there is one little idiosyncrasy here let's try this I am just a low privilege user right now I don't have administrator up in the top title of my Powershell window but let me try to use our EnV program files Windows Defender and that will Amper sand that out let's you are mpcmdrun.exe where we scan with a scan type being three and specify the file being the path that we know is now excluded right so that's C users local admin and we added our exclusion onto our desktop so fingers crossed this will work here for us yeah okay and we will need to be sure to add that vertical pipe character and then a star or an asterisk to note the end of that so fingers cross there we go it tells me scanning that location was skipped now I believe this will pop up a little toast notification right from the bottom right of your computer screen where my face is and that is just from the balloon notification of Windows Defender letting you know hey that folder and location was skipped in the scan I don't think I saw that mentioned in the article but in High's tweets kind of walking back in time from his original ay notification of this stuff back in May 31st with the windows event logs October kind of find a cool new way to do that with using Defender itself they do note here that while this works you get the identifier as to whether or not a folder or path is excluded or not but it will end up giving you a popup and just displaying down below hey there are items skipped during the scan if it is going to skip an excluded folder and I got to be honest I was a little bit nerd sniped with this and I really wanted to see is there a way that I could programmatically like within Powershell or C or whatever Force Do Not Disturb mode or Focus assist or the quiet hours or whatever crap will hide those notifications like disable the balloon the toast notification uh and I tried to go through a couple different registry keys I got procmon and was doing all the stuff to look inside of the registry to see what might be there turns out it's some weird wacky like Cloud store binary format file that I don't exactly know all the ins and outs of I would love if any of you were a little bit interested but I've some way somehow manag to break something on my vmw will not give me the pop-up anymore which is what I intended and what I wanted but I wanted to be able to tell you how and now I don't know how so sorry I think it must be okay the change stamp is where I was seeing a lot of stuff fluctuate that I wasn't able to get right uh I'm curious if anyone would be uh super interested loading the rge file doesn't really take effect until the next reboot so logging in back out maybe it's not all that worthwhile to see this in action anyway because if you need to log the user out like the victim and the target as you're doing this for a penetration test bug Bounty whatever um okay you're cap ability and reliability of that attack Vector it might not be the most valuable but here's the thing because we have added that vertical pipe and star well we're making it so that it's going to always fail and that way if we were to try to use any other path like documents it'll tell me hey failed with h result hex 8050 8023 whatever some at least identifier to let us know here's a threshold here's a bit yes or no as to whether or not it's skipped or it is some logic we can better test in and then it's not going to be able to scan that because it's a fake file that we're using as an anchor now I know some folks might be thinking why can't I use like the Powershell prompt start MP scan to start an antivirus scan if that's really what we're doing is brute forcing different directories trying to scan it but fail well we could still just start a scan just as easily with Powershell could we not well yes you totally can you can specify a custom scan type and you can include the scan path to be whatever you'd like just as we did earlier see users local admin desktop and if I were to add that vertical pipe and then another asterisk here uh this will error but not give me a very helpful H result because when we get to see this error here this H result is for that is an invalid character in a path so not extremely helpful not going to end up being something that we could use to enumerate across different folders because it's just properly going to handle that is an invalid character when NPC andd run. did not for us trying this with documents we see the exact same thing and if you were to use the MP CMD run check exclusion path blah blah blah that will tell you the exact same thing typically trying the actual start MP scan on the desktop though with it being skipped it doesn't really give me a lot of good output I'm curious if there's still more we could drill down into to figure it out for that command if the process output the like flickering blue bar at the top I wonder if that tells us anything interesting and if there's another vehicle or vessel to do this with with the Powershell commandlet to try and avoid that popup if it displays on your machine and not have to brute force or manually scan each and every single different directory but right now it seems like that's kind of the best option using this in action carrying onward with the article here they know this is effective because Defender is going to check for exclusions before scanning files in that folder which is really helpful for tools that need to run repeatedly without actually scanning files but using the pipe or any other character that is not allowed in a Windows pack path and the asterisk that will have Defender first verify if the directory is on the exclusion list and since that is not a valid file or folder name it'll end up avoiding actually scanning even if the folder is not excluded and it would scan regardless so they put together this cool tool sharp exclusion finder in C I think it would be sweet to do this in Powershell but we can dig into that in just a second and we can play with this a little bit more because it would be worthwhile to try and detect this trick especially if you're doing some of that Security operation Center blue team analyst work real big tips for Defenders though obviously don't have antivirus exclusions you goddamn idiot do not do it I know some software says hey you need to have that set up so it actually installs and configures and runs properly here's the solution for you don't use that software monitor for unusual mpcmdrun.exe uses patterns this is it that's what we should probably drill on into let's see if we could write some rules to help detect this but all in all I think this is neat I think it's pretty cutesy sure it's got a little bit of nuance maybe not the most perfect method but I think maybe there's some opportunity to improve if anyone wanted to drill down into oh could we call a scan from Defender with win32 API calls so we don't end up having all of the artifacts or process executions on the host can this be done without the binary or can we actually avoid the little popup if that displays or what else could we do here anyway let's try and use their tool sharp exclusion finder tool designed to find folder exclusions using Windows Defender the command line MP CMD run as a low privilege user without relying on event logs and this is it uh not a whole lot to it really you just offered a base path for what it will search for include some options if you'd like for how far down you want to look the depth number of threads that you'll Loop through and output file if you wanted to save the results so we can explore the program.cs actually get an idea of the C source code and we can go run this thing so usual Imports class program going to ends up just setting up an excluded directories has a hash set counter to keep track of stuff directories Max threads stopwatch a lot of boiler plate but the actual main function ends up just checking the arguments printing out help if it's not there Loop through to set each of these as they should and then ultimately get excluded folders by tier passing in the base path now print help is as we would expect but the get excluded folders by tier will take in the depth the base path and everything that it's going to end up looking for it ends up adding these together and then at the end of the day ultimately processing tier directories so all the depth capability really I want to go look for the scan directory function that's what this is ultimately it just ends up displaying okay we process however many directories after we've hit a certain count but it just builds out the binary the shell invocation right okay shelling out to run Defender with mpcmdrun.exe arguments and path as we'd all expected the is directory excluded function just checks everything run process does this over and over and over again so look it's nothing fancy it's everything that we would expect maybe we could rewrite this if you wanted a copy in Rust and goang and Powershell copy pasta whatever but let's get back to our virtual machine where I do have that downloaded and I can run our sharp exclusion finder.com okay getting a couple access Deni right cuz we probably don't have all the permissions even though we are that user maybe we need to have UAC and a high integrity shell there but local admin desktop is excluded so we track that down by that brute force method I think if we were to open up like task manager or process monitor maybe process Explorer and CIS internals would just see this smattering of code oh I got to do it let me just see if like CIS internals and uh process Explorer would just see a like fire hose of mpcmdrun.exe being spoted over over and over and over again MP CMD run yep yep yep I know that's dumb I know that's stupid but hey I mean that's the technique that is effective here obviously though this should light up like a Christmas tree for any environment that's actually going to be auditing monitoring and doing some of the analysis to detect this stuff detect any Badness hopefully you'll see a absolute flurry of these processes being started and stopped but could we detect the actual syntax we could use Sigma and maybe Aurora as an example with a light EDR capability and write a detection rule for this so let me close out our process Explorer Let's uh let's sharp exclusion finder close out of here and let's get to actually use Aurora now I do have that staged and set up here Aurora is actually going to have a lot of the rules that we might use Aurora will store its Sigma rules in the signatures folder and then Sigma rules uh I have gone ahead and removed all of them just so that hey I don't want it to run any of the other stock offthe shelf typical Sigma rules I only want to run mine so what we could do is actually move up to the custom signatures capability where we do have Sigma rules and a process creation. yml template so something that we could use to have a jumping off point to write our own Sigma rules so let me open up Sublime Text let me open up this template file and let me try to save a copy just as process creation maybe Windows defend Defender exclusions brute force. yml cool okay so we could say Windows Defender exclusion Brute Force as our title we will use a unique ID just a guid uh I do have the generate good capability or that package added to Sublime teex you can control shift p and then install a package with package control to get that but that way I can very very easily just type in uu ID and it'll generate one there for me status experiment Al is fine our description can say detex Defender exclusion Brute Force activity with the mpcmdrun.exe binary we can also put some references here I think that's good to do and we'll just add the link for that log log source is fine this should be process creation on Windows and we can Define our detection capability so look first things first we probably want to be looking for mpcmdrun right mpcmdrun.exe should be what our image ends with so we can say that is Defender and we could also specify like the command line should probably contain a scan noting that with a space and a hyphen to add the flag scan oh and that should be command line sorry maybe that's better called Defender scan and then we can add another criteria for like an irregular file within that we can check if the command line contains again with that filter and I think this could probably be made better so please let me know I am totally okay okay with being just a bad little detection engineer by any means uh not my real world but please let me know how we can improve this uh in the comments below I think at the very least that will detect when we've got a file that includes that irregular structure here with the pipe and the asterisk so let's make sure that is our condition we want to use the defender scan and an irregular file and uh critical alert is probably fine because that likely means there are like already thread actors in your environment so fingers crossed that is set added into Aurora and let me go see if that will work as it should we do have Aurora in our desktop so I'll move into that directory and then I want to run the Aurora agent and I'll do that with the dashboard open so we'll get that Cruis in and will it load that rule yes okay cool so rules loaded is just one here you can see that where my mouse cursor is and then I believe we can go see the dashboard oh I always have to check their document every single time to remember the port number 17494 Okie doie let's go there so with that we should get the notifications and we'll also get the uh alerts loaded in this little display so let me open up a terminal once again now even just as our poor little low privilege user we can try to run our sharp exclusion finder with C users local admin desktop or just local admin as a starting place because it'll brute force and Hammer through all of those to eventually find the desktop but will our Sigma rule work no what the heck am I wrong oh there it goes okay I didn't do anything I just had to wait a little bit I guess it took some time there uh we can see the notifications coming through yep coming through now my face in the way but if I refresh this page okay yeah it's going to start to light up a lot of those coming in cuz it's just going to be one after the other again and again and again with that utility oh and Aurora looks bloody all right so there you have it a small little technique a big shout out big props to friends Inc and the folks that were digging into that and I know look it might have a little bit of nuance as to whether or not you'll actually use something that is this screaming loud annoying with process invocations over and over and over again when they will be lighting up like a Christmas tree especially with some process detection capability there but now you've got some Sigma syntax to be able to look for that so hopefully little something for both red and blue with a good video that uh is still some tradecraft that might be out and about thanks so much for watching hope you enjoyed this video please do all those YouTube algorithm things like comment subscribe and I would love to see if you uh improve or enhance this at all maybe you doing something in another different language maybe using some of the win32 pi functions to make it stealthy or maybe finagling with uh actually disabling turning on or toggling off like Focus assist Do Not Disturb in the quiet hours on Windows that'd be super interesting but anyway thanks so much hope you check out our sponsor Link in the video description seriously genuinely along this conversation of Security operation Center I hope you tune in to the sock analyst appreciation day I'll see you in the next video video

Original Description

https://jh.live/soc || Join me for the SOC Analyst Appreciation Day! A completely FREE event on October 16th by DEVO! https://jh.live/soc Article: https://blog.fndsec.net/2024/10/04/uncovering-exclusion-paths-in-microsoft-defender-a-security-research-insight/ Learn Cybersecurity with Just Hacking Training: https://justhacking.com Learn Coding: https://jh.live/codecrafters Don't listen to other "influencer" VPN crap -- host YOUR OWN: https://jh.live/openvpn WATCH MORE: Dark Web & Cybercrime Investigations: https://www.youtube.com/watch?v=_GD5mPN_URM&list=PL1H1sBF1VAKVmjZZr162aUNCt2Uy5ozAG&index=4 Malware & Hacker Tradecraft: https://www.youtube.com/watch?v=LKR8cdfKeGw&list=PL1H1sBF1VAKWMn_3QPddayIypbbITTGZv&index=5 📧JOIN MY NEWSLETTER ➡ https://jh.live/email 🙏SUPPORT THE CHANNEL ➡ https://jh.live/patreon 🤝 SPONSOR THE CHANNEL ➡ https://jh.live/sponsor 🌎FOLLOW ME EVERYWHERE ➡ https://jh.live/twitter ↔ https://jh.live/linkedin ↔ https://jh.live/discord ↔ https://jh.live/instagram ↔ https://jh.live/tiktok 💥 SEND ME MALWARE ➡ https://jh.live/malware 🔥YOUTUBE ALGORITHM ➡ Like, Comment, & Subscribe!
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from John Hammond · John Hammond · 0 of 60

← Previous Next →
1 Code Commentaries? PHP to JavaScript in Bash and PHP!
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
2 Tutorials? MySQL connection with PHP and Bash!
Tutorials? MySQL connection with PHP and Bash!
John Hammond
3 Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
4 JavaScript Splits The URL!
JavaScript Splits The URL!
John Hammond
5 HTML Tables in Python!
HTML Tables in Python!
John Hammond
6 HTML, Net Shares, GML!
HTML, Net Shares, GML!
John Hammond
7 Python 08 Programming Style and Comments
Python 08 Programming Style and Comments
John Hammond
8 Python 26 Object Oriented Programming
Python 26 Object Oriented Programming
John Hammond
9 75 Python Tutorials, Out Now!
75 Python Tutorials, Out Now!
John Hammond
10 Batch 14 Mathematical Expressions
Batch 14 Mathematical Expressions
John Hammond
11 Batch 85 Array Append
Batch 85 Array Append
John Hammond
12 Batch 86 Array Count
Batch 86 Array Count
John Hammond
13 Batch 87 Array Index
Batch 87 Array Index
John Hammond
14 Batch 88 Array Insert
Batch 88 Array Insert
John Hammond
15 Batch 89 Array Remove
Batch 89 Array Remove
John Hammond
16 Batch 90 Array Reverse
Batch 90 Array Reverse
John Hammond
17 Python [colorama] 00 Installing on Linux
Python [colorama] 00 Installing on Linux
John Hammond
18 Python [colorama] 09 Cursor Position
Python [colorama] 09 Cursor Position
John Hammond
19 Python [hashlib] 02 Algorithms
Python [hashlib] 02 Algorithms
John Hammond
20 Python 00 Installing IDLE on Linux
Python 00 Installing IDLE on Linux
John Hammond
21 Python [pygame] 11 Rectangular Collision Detection
Python [pygame] 11 Rectangular Collision Detection
John Hammond
22 Python [pygame] 12 Platforming Rectangular Collision Resolution
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
23 Python [XML-RPC] 01 Research
Python [XML-RPC] 01 Research
John Hammond
24 Python [pyenchant] 03 Personal Word Lists
Python [pyenchant] 03 Personal Word Lists
John Hammond
25 FancyURLopener Authentication and User-Agent [urllib] 03
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
26 Python 04: PEP8 Coding
Python 04: PEP8 Coding
John Hammond
27 Python Challenge! 17 COOKIES
Python Challenge! 17 COOKIES
John Hammond
28 Google CTF 2016: Ernst Echidna
Google CTF 2016: Ernst Echidna
John Hammond
29 Google CTF 2016: Spotted Quoll
Google CTF 2016: Spotted Quoll
John Hammond
30 Google CTF 2016: Can you Repo It?
Google CTF 2016: Can you Repo It?
John Hammond
31 Google CTF 2016: No Big Deal
Google CTF 2016: No Big Deal
John Hammond
32 Google CTF 2016: In Recorded Conversation
Google CTF 2016: In Recorded Conversation
John Hammond
33 Homemade CTF Challenge: 01 "Orchestra"
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
34 Homemade CTF Challenge: 02 "Bae's Base"
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
35 Homemade CTF Challenge: 03 "Web Hunt"
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
36 Homemade CTF Challenge: 04 "UPX"
Homemade CTF Challenge: 04 "UPX"
John Hammond
37 Homemade CTF Challenge: 05 "The Assumption Song"
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
38 Homemade CTF Challenge: 06 "A Brisk Stroll"
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
39 Homemade CTF Challenge: 06 "I lost my password!"
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
40 web25 :: Mr. Robot : EKOPARTY CTF 2016
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
41 web50 : RFC 7230 :: EKOPARTY CTF 2016
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
42 misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
43 Hack The Vote 2016 CTF: Sander's Fan Club [web100]
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
44 Hack The Vote 2016 CTF Warpspeed [forensics150]
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
45 Juniors CTF 2016 :: Black Suprematic Square
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
46 Juniors CTF 2016 :: Six Strange Tales
Juniors CTF 2016 :: Six Strange Tales
John Hammond
47 Juniors CTF 2016 :: Lost Code
Juniors CTF 2016 :: Lost Code
John Hammond
48 Juniors CTF 2016 :: Here Goes!
Juniors CTF 2016 :: Here Goes!
John Hammond
49 Juniors CTF 2016 :: Southern Cross
Juniors CTF 2016 :: Southern Cross
John Hammond
50 Juniors CTF 2016 :: Clone Attack
Juniors CTF 2016 :: Clone Attack
John Hammond
51 Juniors CTF 2016 :: Dirty Repo
Juniors CTF 2016 :: Dirty Repo
John Hammond
52 Juniors CTF 2016 :: Hackers Blog
Juniors CTF 2016 :: Hackers Blog
John Hammond
53 Juniors CTF 2016 :: Voting!!!
Juniors CTF 2016 :: Voting!!!
John Hammond
54 Juniors CTF 2016 :: The Good, The Bad and The Junkman
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
55 Juniors CTF 2016 :: Stop Thief!
Juniors CTF 2016 :: Stop Thief!
John Hammond
56 Juniors CTF 2016 :: ROFL
Juniors CTF 2016 :: ROFL
John Hammond
57 Juniors CTF 2016 :: Restriced Area
Juniors CTF 2016 :: Restriced Area
John Hammond
58 Juniors CTF 2016 :: Oh SSH!
Juniors CTF 2016 :: Oh SSH!
John Hammond
59 HackCon CTF 2017 TRIVIA and BONUS Challenges
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
60 HackCon CTF 2017 "Bacche" Challenges
HackCon CTF 2017 "Bacche" Challenges
John Hammond

This video teaches how to brute force Windows Defender exclusions and how to detect such attempts using Sigma rules and the Aurora agent. It covers the use of mpcmdrun.exe, Powershell, and other tools for custom scans and detection.

Key Takeaways
  1. Open Windows Event Viewer and drill down into the application and services logs
  2. Use mpcmdrun.exe to run a custom scan and check exclusion paths
  3. Specify a file path with a vertical pipe and an asterisk for wildcard scanning
  4. Add exclusions to the Windows Defender settings using the mpcmdrun.exe command
  5. Use Powershell to start a custom antivirus scan and specify a custom scan type and path
  6. Use Sharp Exclusion Finder to find folder exclusions and MP CMD run to check exclusion paths
  7. Call a scan from Defender using Win32 API calls and build a binary to run Defender with mpcmdrun.exe arguments and path
  8. Write a detection rule for the brute force method using Sigma and Aurora
  9. Generate a unique ID using Sublime Text and create a detection rule with the unique ID
💡 Windows Defender exclusions can be brute-forced using mpcmdrun.exe, and such attempts can be detected using Sigma rules and the Aurora agent.

Related Reads

📰
Active Directory Enumeration & Password Spraying: A Hands-On Guide
Learn hands-on techniques for Active Directory enumeration and password spraying to enhance your internal penetration testing skills in Microsoft Windows environments
Medium · Cybersecurity
📰
The Quantum Internet Explained: How the Next Generation of Communication Could Be Unhackable
Learn how the quantum internet can revolutionize cybersecurity with unhackable communication, and why it matters for the future of data transfer
Medium · Cybersecurity
📰
One login for you and your AI agents. Zero long-lived keys.
Simplify cloud access for humans and AI agents with a tool that eliminates long-lived keys
Medium · Cybersecurity
📰
Zero Trust Starts Before Login: Lessons From Cloud Security
Learn how Zero Trust security starts before login and its importance in cloud security
Medium · DevOps
Up next
What is DevSecOps Explained with Examples
VLR Software Training
Watch →