Bypassing Defender’s self-protect mechanism

  • The Set-MpPreference PowerShell function
  • The MSFT_MpPreference WMI class
  • Impersonating Trusted Installer
  • Redirecting \Device\BootDevice
  • A Kernel driver abuse

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Daniel Santos

Daniel Santos

Security researcher and penetration tester