Windows Defender

Defender can be a pain, but generally bypasses are abundant. This page is focused on enumeration not bypasses.
https://learn.microsoft.com/en-us/powershell/module/defender/

Defender Enumeration with Powershell

Get-MpComputerStatus    #See the status of Defender 
Get-MpPreference        #See current Defender preferences
Add-MpPreference        #Change Defender Settings
Get-MpThreat            #See threat history for computer
Get-MpThreatCatalog     #Show any known threats
Get-MpThreatDetection   #Show all history for any detected threats
Remove-MpThreat         #Remove an active threat
Remove-MpPreference     #Create exclusion and default behavior 
Start-MpScan            #Start Defender Scan
Update-MpSignature      #Signature updates
Set-MpPreference        #Configures scans and updates

Processes

tasklist /v

look for:

MsMpEng.exe
MpCmdRun.exe

File System artifacts

download below files

dir "C:\ProgramData\Microsoft\Windows Defender\Support\MPLOG-<Datetime>.log"
dir "C:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-<Datetime>.log"

Registry

reg query "HKLM\Software\Microsoft\Windows Defender"
reg query "HKLM\Software\Microsoft\Windows Defender\Real-Time Protection"
reg query "HKLM\Software\Microsoft\Windows Defender\Features"
reg query "HKLM\Software\Microsoft\Windows Defender\SpyNet"
reg query "HKLM\Software\Microsoft\Windows Defender\Windows Defender Exploit Guard"
reg query "HKLM\Software\Microsoft\Windows Defender\exclusions\paths"

Enable Disable RealtimeProtection Powershell

Turn On Real-time Protection

Set-MpPreference -DisableRealtimeMonitoring 0
Set-MpPreference -DisableRealtimeMonitoring $false

Turn Off Real-time Protection

Set-MpPreference -DisableRealtimeMonitoring 1
Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

See most recent threat

Get-MpThreatDetection
Get-MpThreatDetection | sort $_.InitialDecectionTime | select -First 1
Get-MpThreatDetection -ThreatID 2147894794

Status Details

Get-MpComputerStatus

Threat History

Get-MpThreat

PreviousWindows Kernel Vulnerabilities NextAMSI Bypasses

Last updated 3 months ago

hashtagDefender Enumeration with Powershell

hashtagProcesses

hashtagFile System artifacts

hashtagRegistry

hashtagEnable Disable RealtimeProtection Powershell

hashtagSee most recent threat

hashtagStatus Details

hashtagThreat History

Defender Enumeration with Powershell

Processes

File System artifacts

Registry

Enable Disable RealtimeProtection Powershell

See most recent threat

Status Details

Threat History