From e3e2a02a9115a61da14dbdc78195b75dd192efeb Mon Sep 17 00:00:00 2001 From: Chris Long Date: Wed, 24 Mar 2021 20:36:58 -0700 Subject: [PATCH] Try more ways to kill defender on Win10 --- Vagrant/scripts/join-domain.ps1 | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/Vagrant/scripts/join-domain.ps1 b/Vagrant/scripts/join-domain.ps1 index 552eac2a1..36858e9c9 100755 --- a/Vagrant/scripts/join-domain.ps1 +++ b/Vagrant/scripts/join-domain.ps1 @@ -52,3 +52,29 @@ If ($hostname -ne "win10" -And (Get-Service -Name WinDefend -ErrorAction Silentl Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) We'll try again during install-red-team.ps1" } } + +# Disable a bunch of Defender related registry keys for Win10 +# Source: https://gist.github.com/vestjoe/f1d829e81883b880b970ff171fd8ceec +if ((Get-CimInstance -ClassName CIM_OperatingSystem).Caption -like "Microsoft Windows 10*") { + # Turn Off Windows Defender + REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f + REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f + REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f + REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f + + # Cloud-protection level + REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v MpCloudBlockLevel /t REG_DWORD /d 0 /f + + # Disabling 'Join Microsoft MAPS' + REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpynetReporting /t REG_DWORD /d 0 /f + REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 0 /f + + # Disable Bypassing Windows Defender SmartScreen Prompts for Sites in Microsoft Edge + REG ADD "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v PreventOverride /t REG_DWORD /d 0 /f + + # Disable “Publisher Could Not Be Verified” Messages to .exe , .dll , .bat files + REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v LowRiskFileTypes /t REG_SZ /d ".exe;.dll;.bat" /f + + # Tamper Features + REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v TamperProtection /t REG_DWORD /d 0 /f +}