Use this PowerShell module to execute PowerShell code at the antimalware-light protection level. This code was highlighted in the Living Off the Walled Garden: Abusing the Features of the Early Launch Antimalware Ecosystem REcon talk as well as Black Hat USA 2022. This module needs to run elevated. The purpose of this module is to highlight how the antimalware-light protection anti-tampering feature is only as strong as the weakest vendor's ELAM driver.
Thank you to the Microsoft Defender research team for working with me on this issue! When in doubt, if MSRC won't fix something because it's not a security boundary, the Defender team still likely cares very much!
Load the module:
Import-Module .\AntimalwareBlight.psm1
View its exported functions:
Get-Command -Module AntimalwareBlight
View help for the module's functions:
Get-Help Invoke-AntimalwareLightCommand -Full
Note: Invoke-AntimalwareLightCommand
is deliberately not fully weaponized. It is up to the user to locate an overly permissive ELAM driver that permits Microsoft-signed code (TBS hash: E17764C39F2AFD7114F8528D2F9783D9A591F6679715EECE730A262CF5CFD3B3
)