Bypassing Windows Defender for Red Teaming Activity

Bypassing Windows Defender for Red Teaming Activity

To disable real-time-protection Windows Defender

Fire up a PowerShell window as administrator and run the following command:

Set-MpPreference -DisableRealtimeMonitoring $true

At CMD to Disable Windows Defender and Reset it to Factory Default it will remove its all updated definitions.

*Admin rights are required

The command that needs to be executed:

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All Set-MpPreference -DisableIOAVProtection $true

To add an Exception Directory and Process

Add-MpPreference -ExclusionPath "C:\"
Add-MpPreference -ExclusionProcess "c:\internal\test.exe"

Now if Defender comes back to life it will ignore C:\ although it’s signatures will be updated.

Terminate Anti-Virus Processes

Taskkill /F /IM avprocess.exe

Stop and Disable Anti-Virus Services

net stop “service name”

To disable a Windows service

sc config "service name" start= disabled

Run Powershell ps1 script with Bypassing Execution Policy without opening Powershell Terminal using the shortcut

Right-click on an empty area on your desktop and select Shortcut.
Paste the following in the ‘Browse’ box but replace the ‘Path to script’ with the actual path to the script you created.

%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File "C:\Utilities\+Misc\tog.ps1"Once you’ve created the shortcut, right-click it and select the ‘Run as administrator’ option. When you run the shortcut as administrator, our ps1 script will be executed.