Member-only story

Basic AV evasion and detection

Jose Campo
3 min readFeb 18, 2025

--

monticello via Shutterstock

For the OSCP exam, AV evasion is rarely a concern. While the topic is covered in the course, it’s primarily tested in the PEN-300 exam. That said, understanding basic AV evasion is a valuable skill. In the real world, almost every Windows machine runs some form of endpoint protection. Let me show you a simple way to identify and bypass Windows AV.

Identifying

We can confirm if Windows defender is running by executing any of these commands:

  • tasklist | findstr MsMpEng.exe
  • ps | findstr “MsMpEng MpCmdRun”

Let check tasklistout:

Interesting. We get an error. This is because the tasklist command requires administrative privileges to list processes owned by other users or system processes like MsMpEng.exe (which is part of Windows Defender and runs with SYSTEM privileges).

Let’s try psnow:

Unlike tasklist, which requires administrative rights to list processes running under the SYSTEM account, ps does not have the same restrictions and can still display user-accessible processes. Windows Defender (MsMpEng) usually runs under SYSTEM, but depending…

--

--

Jose Campo
Jose Campo

No responses yet