This is a tool that performs brute force on all executable files in the specified folder to identify files that are whitelisted by the Antivirus and have permission to write into the AV's executable folder.
DefenderWrite.exe <TargetExePath> <FullDLLPath> <FileToWrite>
DefenderWrite will execute the file at TargetExePath and inject the FullDLLPath DLL into the newly created process. The DLL will perform the action of creating the FileToWrite and will return a success or failure result.
DefenderWrite.exe <TargetExePath> <FullDLLPath> <FileToWrite> c
DefenderWrite will execute the file at TargetExePath and inject the FullDLLPath DLL into the newly created process. The DLL will perform the action of copying the FullDLLPath to the destination FileToWrite. This is applicable when you want to copy the payload into the installation folder of the Antivirus.
You can modify line 60 of the script to change parameters such as the path to DefenderWrite, FullDLLPath, and FileToWrite to suit the environment you need to test.
CMD (RunAs Administrator)
powershell -c "path to Run-Check.ps1" > result.txt
Check the output log file (result.txt) and look for executable files that have the result "successfully".
- Microsoft Windows Defender
- BitDefender Antivirus
- TrendMicro Antivirus Plus
- Avast Antivirus
DefenderWrite: Abusing Whitelisted Programs for Arbitrary Writes
Youtube: https://www.youtube.com/watch?v=n8FuFoPEZHs
Some books you should read to sharpen your cybersecurity skills, especially in offensive security:
Books on Programming and Cybersecurity recommended by Zero Salarium Researchers