Killing Defender through NT symbolic links redirection while keeping it unbothered

August 24, 2021

Updated: August 25, 2021

TL;DR

With Administrator level privileges and without interacting with the GUI, it’s possible to prevent Defender from doing its job while keeping it alive and without disabling tamper protection by redirecting the \Device\BootDevice NT symbolic link which is part of the NT path from where Defender’s WdFilter driver binary is loaded. This can also be used to make Defender load an arbitrary driver, which no tool succeeds in locating, but does not survive reboots. The code to do that is in APTort…

Killing Defender through NT symbolic links redirection while keeping it unbothered

Mediator – An Extensible, End-To-End Encrypted Reverse Shell With A Novel Approach To Its Architecture

SharpSystemTriggers: Collection of remote authentication triggers in C#

Webdiscover – The Purpose Of This Script Is To Automate The Web Enumeration Process And Search For Exploits

SharpSelfDelete: C# implementation of a method to delete a locked file, or current running executable, on disk

Editor Picks

Threat Hunting With Yara Rules

Certified Pre-Owned Detection Ideas

Defining Cobalt Strike Components So You Can BEA-CONfident in Your Analysis

Must read

SharpSystemTriggers: Collection of remote authentication triggers in C#

Webdiscover – The Purpose Of This Script Is To Automate The Web Enumeration Process And Search For Exploits

SharpSelfDelete: C# implementation of a method to delete a locked file, or current running executable, on disk

Popular categories