Red Team Pentesters Guide | Windows Defender

1.   To disable real-time-protection Windows Defender

Fire up a PowerShell window as administrator and run the following command:

Set-MpPreference -DisableRealtimeMonitoring $true

2.    At CMD to Disable Windows Defender and Reset it to Factory Default it will remove its all updated definitions.

*Admin rights are required

The command that needs to be executed:

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All Set-MpPreference -DisableIOAVProtection $true

3.    To add an Exception Directory and Process

powershell

Add-MpPreference -ExclusionPath "C:\"

Add-MpPreference -ExclusionProcess "c:\internal\test.exe"

Now if Defender comes back to life it will ignore C:\ although it’s signatures will be updated.

4.    Terminate Anti-Virus Processes

Taskkill /F /IM avprocess.exe

5.    Stop and Disable Anti-Virus Services net stop “service name”

6.    To disable a Windows service

sc config "service name" start= disabled

7.    Run Powershell ps1 script with Bypassing Execution Policy without opening Powershell Terminal using shortcut

Right-click on an empty area on your desktop and select Shortcut. 
Paste the following in the ‘Browse’ box but replace the ‘Path to script’ with the actual path to the script you created.

%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File "C:\Utilities\+Misc\tog.ps1"

Once you’ve created the shortcut, right-click it and select the ‘Run as administrator’ option. 
When you run the shortcut as administrator, our ps1 script will be executed.