PowerLine icon indicating copy to clipboard operation
PowerLine copied to clipboard

Published 20 hours ago verified publisher icon fullmetalcache

PowerLine and defender in Win 10

Open slavadba opened this issue 4 years ago • 0 comments

Hi,

I tested several scripts, the results are as follows:

1 ) mimikatz - access denied. If I turn off WD - its not worked but with diffrent errors, so - its another story, but defender some catches it anyway.

2 ) empire http listener and https://raw.githubusercontent.com/peewpw/Invoke-WCMDump/master/Invoke-WCMDump.ps1

here very strange situation: its not blocked directly (no notifications from WD and so on) but its not worked. Those - if I turn off WD - its fine, all goes well. But then its running - no way: empire and WCMDump just "dies" without any messages:

C:\DISTR\POWERLINE\PowerLine-master\PowerLine-master\PowerLine>PowerLine.exe Invoke-WCMDump "Invoke-WCMDump"

Command Invoked: Invoke-WCMDump

C:\DISTR\POWERLINE\PowerLine-master\PowerLine-master\PowerLine>

So, something has changed in WD and its rules - maybe you have some clues how solve it? Especially interested in the option with Empire

slavadba avatar Jun 07 '20 19:06 slavadba