Listen to this Post

Introduction:
Windows Defender’s real-time monitoring is a key line of defense against malware, but red teamers have long exploited WMI (Windows Management Instrumentation) to toggle it off remotely with a single command. While the classic `wmic` one-liner works seamlessly on older Windows versions, Impacket’s implementation fails due to singleton class handling and parameter overload—issues that a patched `IWbemClassObject.callMethod()` now resolves, enabling fileless, low-noise lateral movement.
Learning Objectives:
- Understand how to disable Windows Defender Real-Time Monitoring via WMI and why the command fails on newer OS versions.
- Identify the root causes of Impacket’s inability to manipulate the `MSFT_MpPreference` singleton class.
- Learn to apply a patched method for reliable remote Defender manipulation and explore alternative exclusion tactics.
1. The Classic WMIC One-Liner and Its Limitations
The original attack vector is deceptively simple. Using wmic.exe, an attacker with administrative privileges on a remote machine can issue:
wmic /node:{victim_ip} /namespace:\root\Microsoft\Windows\Defender path MSFT_MpPreference call Set DisableRealtimeMonitoring=TRUE
Step‑by‑step breakdown:
1. `/node:{victim_ip}` – Targets the remote host.
2. `/namespace:\\root\Microsoft\Windows\Defender` – Points to Defender’s WMI namespace.
3. `path MSFT_MpPreference` – Selects the Defender preference class.
4. `call Set DisableRealtimeMonitoring=TRUE` – Invokes the method to turn off real‑time scanning.
What it does:
The command directly modifies the in‑memory Defender configuration without writing to disk, making it fileless and evading many traditional file scanners. However, as noted, on Windows 11 this specific call no longer works, while adding exclusions still succeeds:
wmic /node:{victim_ip} /namespace:\root\Microsoft\Windows\Defender path MSFT_MpPreference call Add ExclusionPath="C:\temp"
When to use it:
Ideal for lateral movement on Server 2019 and older builds where Defender lacks additional behavioral protections.
- Why Impacket Fails: The Singleton and Parameter Packing Problem
When red teamers switch to Impacket’s `wmiexec.py` or direct DCOM/WMI bindings, the same `Set` call silently returns None. The root causes are technical but critical:
- Singleton class quirk: `MSFT_MpPreference` is a singleton – only one instance exists. Impacket’s dispatcher expects a key property to locate the instance, but a singleton has none, so the dispatch fails.
- Parameter overload: Invoking the method at class level forces Impacket to pack all 133 input parameters (including unused ones) into the RPC call. This wipes the user’s entire Defender configuration, often leading to a crash or no effect.
Demonstration of the Impacket failure:
from impacket.dcerpc.v5 import transport, scmr, wkst Typical wmiexec.py logic fails here .Set() returns None and no change occurs
Verification on Windows:
Use `Get-MpPreference` before and after the Impacket call to confirm no real‑time monitoring toggle occurred.
3. The Patched Method: Fixing `IWbemClassObject.callMethod()`
William Wong’s contribution involves patching the `callMethod()` function within `IWbemClassObject` to handle the singleton correctly. The fixed implementation adjusts the `NdTable` encoding so that one RPC call flips only the intended settings: RealTimeMonitoring, Behavior, IOAV, Script, BlockAtFirstSeen, IPS, MAPS, PUA – leaving other Defender configurations untouched.
Step‑by‑step guide to apply the patch (for tool developers):
1. Locate the `IWbemClassObject` implementation in Impacket’s `dcerpc/v5/dcom/wmi.py`.
2. Modify `callMethod()` to detect singleton classes (`MSFT_MpPreference`).
- Instead of packing all
InParams, strip unused parameters and send only the target method’s arguments. - Encode the `NdTable` with proper singleton reference (see the author’s upcoming
wmiexec-Pro).
Expected result after patching:
Patched call
callMethod(instance, "Set", {"DisableRealtimeMonitoring": True})
Defender real‑time monitoring disabled without side effects
Testing environment:
Only verified on Server 2019 – do not rely on Windows 11 for this specific disable technique.
4. Alternative: Adding Exclusions on Windows 11
Since disabling real‑time monitoring directly fails on Windows 11, red teamers can add exclusions to bypass scanning on specific folders or processes. This is still effective and often overlooked by EDR.
Command to add an exclusion (Windows 11 / Server 2022):
Remote via WMI
wmic /node:{victim_ip} /namespace:\root\Microsoft\Windows\Defender path MSFT_MpPreference call Add ExclusionPath="C:\ProgramData\malicious"
Using PowerShell locally:
Add-MpPreference -ExclusionPath "C:\temp\payloads" Add-MpPreference -ExclusionProcess "malware.exe"
Step‑by‑step for lateral movement:
- Gain admin privileges on the remote Win11 host.
- Use `wmic` (or `Invoke-WmiMethod` in PowerShell) to add an exclusion path.
- Drop your tool or implant into the excluded folder.
4. Execute without triggering Defender real‑time scans.
Verify exclusions:
Get-MpPreference | Select-Object -ExpandProperty ExclusionPath
5. Linux-Based Lateral Movement Using Impacket (Before Patch)
Even with Impacket’s limitations, you can still interact with Defender via WMI for reconnaissance or exclusion management. Use `wmiexec.py` to execute PowerShell commands that modify Defender, though this is more noisy.
From Kali Linux:
Install Impacket if needed pip3 install impacket Use wmiexec.py to run PowerShell wmiexec.py domain/user:password@victim_ip 'powershell -Command "Add-MpPreference -ExclusionPath C:\temp"'
Alternatively, use `psexec.py` for service-based execution:
psexec.py domain/user:password@victim_ip 'cmd /c "wmic /namespace:\root\Microsoft\Windows\Defender path MSFT_MpPreference call Add ExclusionPath=C:\temp"'
Note: These methods create processes (wmiprvse.exe, psexesvc.exe) that may trigger EDR behavioral rules. The patched `wmiexec-Pro` aims to be quieter by using a single RPC call.
- Bypassing EDR: Why This Still Works on Cortex and Others
According to the post’s comment, disabling Defender via this WMI method did not trigger alerts on Cortex EDR. Why? Many EDRs focus on API-level hooks (e.g., `NsSvc.dll` or AMSI), but legitimate administrative WMI calls to `MSFT_MpPreference` are often whitelisted. The fileless nature and use of native Windows interfaces allow the attack to blend in with normal configuration management.
For blue teams: Monitor WMI activity for `MSFT_MpPreference` method invocations, especially `Set DisableRealtimeMonitoring` or Add ExclusionPath. Use Sysmon event ID 19 (WmiEventFilter) and 21 (WmiEventConsumerToFilter) to track WMI consumers.
Red team tip: Before disabling, check current Defender status with:
wmic /node:{victim} /namespace:\root\Microsoft\Windows\Defender path MSFT_MpPreference get DisableRealtimeMonitoring
7. Defensive Measures and Mitigations
To protect against these WMI-based attacks, implement the following:
- Restrict WMI access: Use Group Policy to limit WMI namespaces and users. Set DCOM permissions and `WMIMgmt.msc` to allow only authorized admins.
- Windows Defender Application Guard and Controlled Folder Access can block exclusion additions from non-trusted processes.
- Enable WMI auditing: Configure PowerShell script block logging to capture `Get-MpPreference` and `Set-MpPreference` calls.
- Deploy endpoint detection rules for the following commands:
wmic process call create "cmd /c wmic /namespace..." powershell Invoke-WmiMethod -Class MSFT_MpPreference -Name Set
- Upgrade to Windows 11 or Server 2022 where the direct `DisableRealtimeMonitoring` via WMI is no longer effective (though exclusions still work).
Linux-based detection: Monitor network traffic for MS-RPC endpoints (port 135, 445) with WMI-specific UUIDs (8d9f4e40-a03d-11ce-8f69-08003e30051b).
What Undercode Say
Key Takeaway 1: Classic WMI commands to disable Defender real‑time monitoring remain a potent fileless lateral movement technique, but they are broken on Windows 11 for disabling – exclusions are the new fallback.
Key Takeaway 2: Impacket’s failure stems from a singleton handling bug and aggressive parameter packing; a patched `IWbemClassObject.callMethod()` restores functionality and is forthcoming in wmiexec-Pro.
Analysis:
This technique underscores a persistent blind spot in EDRs: native WMI calls to trusted security providers are often excluded from scrutiny. While Microsoft has patched direct disabling on newer clients, the ability to add exclusions remains wide open, giving attackers a silent persistence mechanism. Red teams should prioritize exclusions over full disabling on Win11, while blue teams must aggressively log and alert on `MSFT_MpPreference` interactions. The forthcoming Impacket patch will likely be weaponized within weeks, making it essential for defenders to update their detection rules proactively.
Prediction
Future Windows builds will likely deprecate the `DisableRealtimeMonitoring` method entirely over WMI, forcing attackers to rely on kernel callbacks or exploitation of signed drivers. However, as long as exclusion management remains via WMI for enterprise manageability, red teams will continue to abuse Add ExclusionPath. Expect Microsoft to introduce additional warnings or require Defender Tamper Protection to be explicitly overridden via Group Policy, shifting the attack surface to credential theft and policy modification. Meanwhile, EDR vendors will start modeling normal WMI-based Defender configuration patterns to distinguish benign admin actions from malicious ones – raising the bar but not eliminating the threat.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: William Wong – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


