Wednesday, October 27, 2021

Killing Defender through NT symbolic links redirection while keeping it unbothered

TL;DR

With Administrator level privileges and without interacting with the GUI, it’s possible to prevent Defender from doing its job while keeping it alive and without disabling tamper protection by redirecting the \Device\BootDevice NT symbolic link which is part of the NT path from where Defender’s WdFilter driver binary is loaded. This can also be used to make Defender load an arbitrary driver, which no tool succeeds in locating, but does not survive reboots. The code to do that is in APTort…

Read More

Latest news
Related news