This page looks best with JavaScript enabled

Elevating Permissions To Disable Windows Defender

 ·  ☕ 2 min read

I’ve been developing a new payload for the Bash Bunny using external tools but a lot of them get flagged by Windows Defender - so I turned my attention to disabling Windows Defender and found some interesting information.

I wanted to disable Windows Defender temporarily, just enough time to run the attack and then re-enable it. At most it would be disabled for a few seconds - my aim was to leave as few traces as possible. But as I discovered disabling Defender is easier said than done, which is a good thing for Windows, IT departments and security, but bad for my attack. I tried changing the registry, local group policy, elevating permissions to admin, but I couldn’t disable Defenders real-time protection. I tried adding exclusions via the registry, but I was still blocked. I found that making changes to anything regarding Windows Defender requires higher privileges than Administrator or NT Authority\SYSTEM, it requires TrustedInstaller. For example, making a change to an existing registry value or creating one under HKLM:\SOFTWARE\Microsoft\Windows Defender requires TrustedInstaller, but removing the value is denied.

So, I could disable Defender by creating the DisableRealtimeMonitoring DWORD but I couldn’t re-enable it by deleting or renaming the value, because I didn’t have access. I worked around it by stopping the Windows Defender service, which makes a bigger change to the system than I wanted to, but it accomplished my goal. To elevate my privileges to TrustedInstaller I found a tool called RunAsTI by Joakim Schicht, the tool is available on his GitHub here. I used RunAsTI to launch a PowerShell session as TrustedInstaller and stopped the Windows Defender service, and then ran my attack.

If you have any questions or comments please leave them below.


Share on
Support the author with