I am constantly testing defender and other Anti-Virus products on what they detect and came across this nice tool called SharpKiller. Here is the link to the GitHub Repository where you can read all about it:
https://wwwgithub.com/S1lkys/SharpKiller
Windows Defender did not like the tool and this was running on Windows Server 2022 – Fully patched. Defender actually deletes the .exe file.
Even trying to obfuscate it using these options, did not work:
- InviShell
- Amsibypass
Other than that, running it is pretty simple and it patches each instance, ones that are running and any new ones. Here is a screenshot of the Sharp-Killer.exe running and below that the two (2) PowerShell windows:
Instance 8976 and 1752 below:
I also put together a quick video, no audio just showing how each process gets patched when launched, does not matter whether it is elevated or not:
A nice tool to add to your kit. All credit goes to S1lkys