Use this PowerShell module to execute PowerShell code at the antimalware-light protection level. This code was highlighted in the Living Off the Walled Garden: Abusing the Features of the Early Launch Antimalware Ecosystem REcon talk. This module needs to run elevated. The purpsoe of this module is to highlight how the antimalware-light protection anti-tampering feature is only as strong as the weakest vendor ELAM driver.
Thank you to the Microsoft Defender research team for working so diligently on a fix! When in doubt, if MSRC won't fix something because it's not a security boundary, the Defender team still likely cares very much!
Load the module:
Import-Module .\AntimalwareBlight.psm1View its exported functions:
Get-Command -Module AntimalwareBlightView help for the module's functions:
Get-Help Invoke-AntimalwareLightCommand -FullNote: Invoke-AntimalwareLightCommand is deliberately not fully weaponized. It is up to the user to locate an overly permissive ELAM driver that permits Microsoft-signed code (TBS hash: E17764C39F2AFD7114F8528D2F9783D9A591F6679715EECE730A262CF5CFD3B3)