Sitemap
Open in app

Sign in

Medium Logo
Write
Search

Sign in

AV Enumeration with NetExec

3 min readSep 2, 2025
Press enter or click to view image in full size
Windows Defender

I was finishing a small lab to test Ligolo with NetExec when I found this really useful module: enum_av. The timing was perfect, since right now I am focused on OSEP and looking for ways to get more value even without local admin rights. Let me show you why this module is worth knowing and how it can guide your next steps during an engagement.

The enum_av module in NetExec gives you a quick way to check which Antivirus or EDR solutions are present, even when you are not a local admin.

This helps you decide what kind of payloads to try, which machines to go after first, and how to build a simple map of AV and EDR across the network.

A workstation with only Windows Defender may be easier to move through than a domain controller or server protected by something stronger. This is probably not the case in one of Offsec exams, but certainly a possibility in a real life engagement.

What it Does

The module works by performing an authenticated check through WMI and the registry. In seconds, you can see whether a system is running Windows Defender, CrowdStrike, SentinelOne, or another solution. This information shapes how you operate. A host with only Defender may allow more flexibility than a server that is tightly monitored by a third party EDR.

Let’s See this in Action

Let’s test it with “maria” which is a valid Domain user in my Lab environment, but not a local administrator :

Press enter or click to view image in full size
net user command

Now let’s sweep the network using nxc and Maria’s credential:

nxc smb 192.168.192.0/24 -u maria -p 'Password123' -M enum_av

The results tell you which hosts are running Defender, CrowdStrike, SentinelOne, or something else.

Press enter or click to view image in full size

The two hosts in my Lab are only running Windows Defender, as we can see from the image above.

With this you can spot less protected endpoints, avoid heavily monitored ones for now, and plan lateral movement in a smarter way.

When testing Active Directory environments it is easy to focus only on credentials and paths to Domain Admin. But in practice, knowing what is defending the network can be just as important. This nxc module gives you a fast way to see which Antivirus or EDR agents are running on remote hosts, even if you do not have local admin rights.

Do you use any other techniques to find AV or EDR agents on hosts? What do you think about this one? Let me know in the comments.

Av Evasion
Netexec
Crackmapexec
Osep
Bypass Windows Defender

--

--

DuckWrites
DuckWrites

Written by DuckWrites

556 followers
26 following

Security Engineer

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech