Skip to content

Execute PowerShell code at the antimalware-light protection level.

License

Notifications You must be signed in to change notification settings

mattifestation/AntimalwareBlight

Repository files navigation

Use this PowerShell module to execute PowerShell code at the antimalware-light protection level. This code was highlighted in the Living Off the Walled Garden: Abusing the Features of the Early Launch Antimalware Ecosystem REcon talk as well as Black Hat USA 2022. This module needs to run elevated. The purpose of this module is to highlight how the antimalware-light protection anti-tampering feature is only as strong as the weakest vendor's ELAM driver.

Thank you to the Microsoft Defender research team for working with me on this issue! When in doubt, if MSRC won't fix something because it's not a security boundary, the Defender team still likely cares very much!

Load the module:

Import-Module .\AntimalwareBlight.psm1

View its exported functions:

Get-Command -Module AntimalwareBlight

View help for the module's functions:

Get-Help Invoke-AntimalwareLightCommand -Full

Note: Invoke-AntimalwareLightCommand is deliberately not fully weaponized. It is up to the user to locate an overly permissive ELAM driver that permits Microsoft-signed code (TBS hash: E17764C39F2AFD7114F8528D2F9783D9A591F6679715EECE730A262CF5CFD3B3)

About

Execute PowerShell code at the antimalware-light protection level.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published