Windows Defender Exclusion Abuser

Windows Defender Exclusion Abuser

Enumerates and exploits Defender exclusions:

• Exclusion enumeration — Reads path, extension, and process exclusions from the registry and WMI.
• Path abuse — If excluded paths exist, copies the payload there and executes without detection.
• Extension abuse — If excluded extensions exist (.log, .tmp), renames the payload with that extension.
• Process abuse — If excluded processes exist, injects into those specific processes.
• Common exclusions — Database of common exclusions in enterprise environments (SQL Server paths, IIS, Exchange).