core-jmp

GreatXML: Bypassing BitLocker on Windows 11 via a Recovery-Partition unattend.xml

June 11, 2026

by oxfemale BitLocker Bypassing Defender exploitation Recovery mode

GreatXML is a one-file BitLocker bypass against Windows 11 24H2. Drop an attacker-controlled unattend.xml and ReAgent.xml into the root of the recovery partition; the next Defender Offline reboot honours them at the WinPE Setup pass and spawns an Administrator conhost.exe on top of the splash. The C: volume is already TPM-unsealed at that point, so the shell can cd C: and read everything. No crypto attack, no kernel exploit — just physical access plus two XML files. We reproduce the README, both XML files and both proof screenshots, explain why it works, and give a hardening checklist (TPM+PIN, reagentc /disable, recovery-partition integrity).

Microsoft Defender Now Monitors Remote RPC Activity: What It Catches and How to Hunt

June 9, 2026

by oxfemale Defender

Microsoft Defender now audits inbound remote RPC calls at OpNum-level granularity through a Windows Filtering Platform integration, surfacing telemetry in Advanced Hunting and feeding detections like Impacket-style hands-on-keyboard, suspicious remote service creation, LSA secrets theft, RPC user / session discovery, and authentication coercion — with sample KQL queries for Remote Registry abuse, remote service creation, and NetrSessionEnum-based session discovery.

Vulnerability: When Microsoft Defender Becomes the Primitive – RedSun PoC.

April 16, 2026

by oxfemale Defender exploitation PoC Privilege Privilege Escalation RedTeam winapi windows

This vulnerability shows how Windows Defender file handling can be abused through filesystem races, Cloud Files APIs, and reparse points to redirect privileged writes and escalate from a low-privileged user to SYSTEM.

BlueHammer: Exploiting Microsoft Defender Update Workflow to Leak SAM and Escalate to SYSTEM

April 7, 2026

by oxfemale Antivirus attaks Defender Escalation Exploit Development exploitation PoC Privilege Security Security winapi winapi windows

BlueHammer shows how Microsoft Defender’s update workflow can be abused to redirect privileged file access to a Volume Shadow Copy. By exploiting filesystem races and NT namespace tricks, the technique leaks the SAM hive, extracts NTLM hashes, and enables privilege escalation to SYSTEM.

Reverse engineering undocumented Windows Kernel features to work with the EDR

March 14, 2026

by oxfemale Antivirus Bypassing Defender EDR Eventlog kernel Malware Protection Reverse Engineering Security winapi winapi WinDBG windows

This article demonstrates how to reverse engineer the Windows 11 kernel to understand undocumented internals behind memory operations and ETW Threat Intelligence events, helping security engineers improve EDR telemetry and detect remote process memory writes.

Windows Defender ACL Blocking: A Silent Technique With Serious Impact

March 10, 2026

by oxfemale access ACL Bypassing Defender EDR RedTeam windows

The article analyzes a technique that disables Microsoft Defender by modifying file ACLs to block security services from accessing critical system DLLs. This silent method prevents Defender from starting without triggering obvious alerts.

EDR-Redir V2: Blind EDR With Fake Program Files

March 3, 2026

by oxfemale Antivirus Bypassing Defender EDR windows

A technique leveraging Windows bind link features to redirect and loop parent folders (like Program Files/ProgramData) so an EDR sees attacker-controlled files as its own, enabling stealthy evasion and potential DLL hijacks.

core-jmp

Posts in category: Defender