KDStab: post-explotiation tool to defeat Windows Defender
KDStab
This is a Beacon Object File combined implementation of Yaxser’s Backstab and pwn1sher’s KillDefender for use with Cobalt Strike.
KDStab is a post-exploitation tool to defeat Windows Defender (in theory it could work for other solutions as well but has not been tested) so that other post-ex tools may be used without as much fear of detection. It leverages Backstab and KillDefender in order to accomplish this, both of which are called when appropriate by the kdstab Cobalt Strike command.
KDStab has been tested successfully on x64 Windows 10, Windows 11, and Server 2019.
KDStab requires Administrator or System-level access.
Primary functions:
-
Enumerate the integrity of a process
-
Strip a process of its privileges and set its integrity to Untrusted
-
Kill a PPL-protected process
-
List the handles for a PPL-protected process
-
Close a specific handle for a PPL-protected process
Examples
Check the integrity level of a process
Strip a process of its privileges and set its token to Untrusted
Result of /STRIP command
Kill a PPL-protected process
Install & Use
Copyright (c) 2022 Octoberfest7
