I’ve been developing a new payload for the Bash Bunny using external tools but a lot of them get flagged by Windows Defender - so I turned my attention to disabling Windows Defender and found some interesting information.
I wanted to disable Windows Defender temporarily, just enough time to run the attack and then re-enable it. At most it would be disabled for a few seconds - my aim was to leave as few traces as possible. But as I discovered disabling Defender is easier said than done, which is a good thing for Windows, IT departments and security, but bad for my attack. I tried changing the registry, local group policy, elevating permissions to admin, but I couldn’t disable Defenders real-time protection. I tried adding exclusions via the registry, but I was still blocked. I found that making changes to anything regarding Windows Defender requires higher privileges than Administrator or NT Authority\SYSTEM, it requires TrustedInstaller. For example, making a change to an existing registry value or creating one under HKLM:\SOFTWARE\Microsoft\Windows Defender requires TrustedInstaller, but removing the value is denied.
So, I could disable Defender by creating the DisableRealtimeMonitoring DWORD but I couldn’t re-enable it by deleting or renaming the value, because I didn’t have access. I worked around it by stopping the Windows Defender service, which makes a bigger change to the system than I wanted to, but it accomplished my goal. To elevate my privileges to TrustedInstaller I found a tool called RunAsTI by Joakim Schicht, the tool is available on his GitHub here. I used RunAsTI to launch a PowerShell session as TrustedInstaller and stopped the Windows Defender service, and then ran my attack.
I hope this article is useful to you. If you want to get in touch with me please feel free to use the comments, Twitter or my contact form. Please consider supporting my work: monthly on patreon, or by buying me a coffee with paypal, or ko-fi.