Suck it, Windows Defender.

When Invoke-Obfuscation came out in late 2016, I, and I’m sure many other pentesters, rejoiced at the fact that our commands bypassed AV like it wasn’t even there. Empire payload? Easy. Privilege escalation Powershell scripts? Not a problem.

In 2016, Windows Defender was but an annoying feature in Windows that would just catch Cain & Abel. Fast forward two years and now it’s one of the best, if not the best AV on the market. When I created ADAPE, AV didn’t do anything about it. Kaspersky, McAfee, AMP, Windows Defender, etc. were all bypassed because everything was encoded using Invoke-Obfuscation. Within two months of publishing that script, Defender now hates it. I tried encoding the commands and scripts in different ways, but it still caught it. I didn’t have a clue on how to bypass this damn basic AV solution that was built into every modern PC.

Recently, on an engagement, I had Empire set up, and used CrackMapExec to execute the Powershell payload on a target. Of course, it was blocked by Defender. No worries, CME supports Invoke-Obfuscation now and even has it built in with the –obfs switch. Surely it would work now, right?

Wrong. Defender even caught that. Game on. By default, Empire spits out a base64 encoded payload that looks like this when decoded.


So I would historically encode it via Invoke-Obfuscation.


And it would work. Until recently.


Ok, fair enough. I only encoded it once and reversed it, let’s try encoding it a bit better.




Ok, let’s try special characters.





So, it’s clear Defender has caught on and now there needs to be a new method to the madness. Luckily, I found something out: Why bypass AV when you can just turn it off? Yeah, they might have alerts set to ring when Defender is turned off, but at this point the engagement is dead if I can’t get by, so I’m willing to take that chance.

Turning off Defender is pretty easy. It’s actually one line of PS.

Set-MpPreference -DisableRealtimeMonitoring $true

However, the catch is you need to have administrative privileges.


Last year, byt3bl33d3r published a new, awesome, tool called SILENTTRINITY. I wrote an article on how to use it here, but the TL;DR version is that it’s a C2 tool that utilizes IronPython and C# to execute it’s modules and beacon. By default, when installing the .NET framework, it installs a tool called msbuild.exe. This executable builds C# code from an XML file, so if that XML file is really just a hook for the C2 server, it’s going to build it and you have a session on the target.

So, I started using this more than Empire because you don’t have to run anything ‘malicious’ on the target since you can build the XML file via SMB path.


Once I have a session open, I then use the ipy/shell module to run the command to disable Defender



And now I can run ADAPE without being blocked. This really is a testament to how good Windows Defender is now and how far it has come. As adversary simulators, we hate this, but really we know this is awesome.

4 thoughts on “Suck it, Windows Defender.

  1. Instead of disabling Defender, we can rollback defintions with mpcmrun.exe and even remove all the definitions.

  2. Hi 2killdms, as you are suggesting, we need first to elevate privileges. In my case, as victim I am working with a Wind10 Build 1809 with Defender up to date (18th March 2019).

    To run commands with elevated privileges with SILENTTRINITY, I am using the module ipy/shell. Once there I set the Command as follows:

    set Command “powershell function Disable-ExecutionPolicy {($ctx = $executioncontext.gettype().getfield(‘_context’,’nonpublic,instance’).getvalue( $executioncontext)).gettype().getfield(‘_authorizationManager’,’nonpublic,instance’).setvalue($ctx, (new-object System.Management.Automation.AuthorizationManager ‘Microsoft.PowerShell’))} Disable-ExecutionPolicy; Import-Module C:\Users\User1\Desktop\Invoke-WSResetBypass.ps1; Invoke-WSResetBypass -Command ‘cmd.exe /c start powershell Set-MpPreference -DisableRealtimeMonitoring $true'”

    Remember to replace the .ps1 script’s path appropriately for your tests.

    For your reference, the Invoke-WSResetBypass.ps1 script can be found in ActiveCyberus. As it cannot be executed in PS as non-privileged user with Execution Policy Restricted, you also have to bypass that restriction with the previous powershell function Disable-ExecutionPolicy.

    The execution takes a lot of time. Around 10 minutes in some cases.
    If you are going to use ADAPE too, you will have to fix it first (last single quote and curly bracket are missing), and you will also need to disable the firewall (Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False).

    N.B.: Defender AV detects my first attempt, but the second is not detected nor stopped (using msbuild as stager).
    N.B.: I am not using the ipy/powershell module because it does not work properly (exception) for unknown reasons.
    N.B.: It would be recommendable to Set-ExecutionPolicy Unrestricted -Force from the beginning.

    It is my first contact with the tool, so maybe you find easier mechanisms. Let us know if that is the case.

  3. Sorry but my question here is, if you are a low-level user how can you disable this as it seems that you provided a username and password onto cme, how would we get the same result with a low-privilege user? Would we need to escalate first and then proceed to disable Windows Defender, sorry if its a dumb question just curious.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s