I’ve been developing a new payload for the Bash Bunny using external tools but a lot of them get flagged by Windows Defender - so I turned my attention to disabling Windows Defender and found some interesting information.
I wanted to disable Windows Defender temporarily, just enough time to run the attack and then re-enable it. At most it would be disabled for a few seconds - my aim was to leave as few traces as possible. But as I discovered disabling Defender is easier said than done, which is a good thing for Windows, IT departments and security, but bad for my attack. I tried changing the registry, local group policy, elevating permissions to admin, but I couldn’t disable Defenders real-time protection. I tried adding exclusions via the registry, but I was still blocked. I found that making changes to anything regarding Windows Defender requires higher privileges than Administrator or NT Authority\SYSTEM, it requires TrustedInstaller. For example, making a change to an existing registry value or creating one under HKLM:\SOFTWARE\Microsoft\Windows Defender requires TrustedInstaller, but removing the value is denied.
So, I could disable Defender by creating the DisableRealtimeMonitoring DWORD but I couldn’t re-enable it by deleting or renaming the value, because I didn’t have access. I worked around it by stopping the Windows Defender service, which makes a bigger change to the system than I wanted to, but it accomplished my goal. To elevate my privileges to TrustedInstaller I found a tool called RunAsTI by Joakim Schicht, the tool is available on his GitHub here. I used RunAsTI to launch a PowerShell session as TrustedInstaller and stopped the Windows Defender service, and then ran my attack.