Use this PowerShell module to execute PowerShell code at the antimalware-light protection level. This code was highlighted in the Living Off the Walled Garden: Abusing the Features of the Early Launch Antimalware Ecosystem REcon talk as well as Black Hat USA 2022. This module needs to run elevated. The purpose of this module is to highlight how the antimalware-light protection anti-tampering feature is only as strong as the weakest vendor's ELAM driver.
Thank you to the Microsoft Defender research team for working with me on this issue! When in doubt, if MSRC won't fix something because it's not a security boundary, the Defender team still likely cares very much!
Load the module:
Import-Module .\AntimalwareBlight.psm1View its exported functions:
Get-Command -Module AntimalwareBlightView help for the module's functions:
Get-Help Invoke-AntimalwareLightCommand -FullNote: Invoke-AntimalwareLightCommand is deliberately not fully weaponized. It is up to the user to locate an overly permissive ELAM driver that permits Microsoft-signed code (TBS hash: E17764C39F2AFD7114F8528D2F9783D9A591F6679715EECE730A262CF5CFD3B3)