Open slavadba opened 4 years ago
Hi,
I tested several scripts, the results are as follows:
1 ) mimikatz - access denied. If I turn off WD - its not worked but with diffrent errors, so - its another story, but defender some catches it anyway.
2 ) empire http listener and https://raw.githubusercontent.com/peewpw/Invoke-WCMDump/master/Invoke-WCMDump.ps1
here very strange situation: its not blocked directly (no notifications from WD and so on) but its not worked. Those - if I turn off WD - its fine, all goes well. But then its running - no way: empire and WCMDump just "dies" without any messages:
C:\DISTR\POWERLINE\PowerLine-master\PowerLine-master\PowerLine>PowerLine.exe Invoke-WCMDump "Invoke-WCMDump"
Command Invoked: Invoke-WCMDump
C:\DISTR\POWERLINE\PowerLine-master\PowerLine-master\PowerLine>
So, something has changed in WD and its rules - maybe you have some clues how solve it? Especially interested in the option with Empire
Hi,
I tested several scripts, the results are as follows:
1 ) mimikatz - access denied. If I turn off WD - its not worked but with diffrent errors, so - its another story, but defender some catches it anyway.
2 ) empire http listener and https://raw.githubusercontent.com/peewpw/Invoke-WCMDump/master/Invoke-WCMDump.ps1
here very strange situation: its not blocked directly (no notifications from WD and so on) but its not worked. Those - if I turn off WD - its fine, all goes well. But then its running - no way: empire and WCMDump just "dies" without any messages:
C:\DISTR\POWERLINE\PowerLine-master\PowerLine-master\PowerLine>PowerLine.exe Invoke-WCMDump "Invoke-WCMDump"
Command Invoked: Invoke-WCMDump
C:\DISTR\POWERLINE\PowerLine-master\PowerLine-master\PowerLine>
So, something has changed in WD and its rules - maybe you have some clues how solve it? Especially interested in the option with Empire