A Beacon Object File (BOF) for Cobalt Strike that enumerates Windows Defender configuration by reading Event ID 5007 from the Defender Operational event log.
- Defender Exclusions: Discovers path and file exclusions
- ASR Exclusions: Finds Attack Surface Reduction exclusions
- ASR Rule States: Lists all configured ASR rules with their modes (Disabled/Block/Audit/Warn)
- Low Privileges: Works with standard user privileges - no admin rights required
- Stealthy: Uses native Windows Event Log API (no PowerShell, WMI, or registry queries)
- Lightweight: Runs in-process as a BOF
Registry paths under:
HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\
Registry paths under:
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\ASROnlyExclusionsHKLM\SOFTWARE\Microsoft\Windows Defender Exploit Guard\ASR\ASROnlyPerRuleExclusions
All Microsoft-defined ASR rules including:
- Block abuse of exploited vulnerable signed drivers
- Block credential stealing from lsass.exe
- Block Office applications from creating child processes
- Block executable content from email client
- And 15 more...
beacon> lowprivsexclusioncheckasr
The command takes no arguments and will:
- Query the Defender Operational event log
- Parse all Event ID 5007 entries (configuration changes)
- Extract and display:
- Defender exclusions
- ASR exclusions
- ASR rule configurations
[*] LowPrivsExclusionCheckASR - Windows Defender ASR Scanner (BOF)
[*] Querying Event Log: Microsoft-Windows-Windows Defender/Operational
[*] Event ID: 5007 (Configuration changes)
[*] No admin privileges required
[*] Processed 42 events
===== Defender Exclusions =====
[+] HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\temp
[+] HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions\.tmp
===== ASR Exclusions =====
No ASR exclusions found.
===== ASR Summary =====
=> 8 rules configured
=> 2 Disabled ** 3 Audit ** 3 Block ** 0 Warn
===== ASR Rules =====
Rule ID : 5beb7efe-fd9a-4556-801d-275e5ffc04cc
Name : Block execution of potentially obfuscated scripts
Action : Block
Rule ID : 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Name : Block credential stealing from lsass.exe
Action : Block
[...]
[*] Scan Complete
Event ID 5007 only logs configuration changes. This means:
- Rules that were set but never modified will NOT appear
- Fresh installations with default settings may show no rules
- Historical changes are limited by log retention policy
To see ALL current rules (not just changed ones), use registry/WMI queries instead.
- No admin privileges required - works with standard user rights
- The Defender Operational event log is readable by standard users
- Event log access is governed by standard Windows security descriptors
- Opens handle to
Microsoft-Windows-Windows Defender/Operationalevent log - Queries for Event ID 5007 (Configuration change events)
- Parses XML event data using simple pattern matching
- Extracts registry paths for exclusions and ASR rules
- Decodes ASR rule GUIDs to human-readable names
- Outputs organised results to beacon console
EvtQuery()- Query event logEvtNext()- Iterate eventsEvtRender()- Extract event XMLEvtClose()- Cleanup handles
- Uses Beacon heap API (
HeapAlloc/HeapFree) - Fixed-size buffers (32KB XML buffer)
- Maximum 256 exclusions, 32 ASR rules
Original research: Primusinterp Original implementation: https://primusinterp.com/posts/WindowsASR/ Original code: https://github.com/Primusinterp/PrimusASR
Use for authorised security testing only. Unauthorised access to computer systems is illegal.