USB-Rubber-Ducky icon indicating copy to clipboard operation
USB-Rubber-Ducky copied to clipboard
verified publisher icon hak5darren

Windows Defender more Secure

Open watchdog2000 opened this issue 5 years ago • 2 comments

The typical payload to disable windows defender does not work anymore, due to the ‘tamper protection’. From what I can tell the only way to turn off tamper protection is to navigate to the Windows Security Settings, and dive through their settings, to then flick off the switch for tamper protection, bypass UAC, then disable windows defender real time protection. Is there any other way perhaps to achieve this that is more efficient?

watchdog2000 avatar Jun 16 '20 10:06 watchdog2000

Hello. I been researching this issue as well. Tamper Protection according to the documentation that I have read can either be disabled manually using the GUI, by having the rubber ducky act as a mouse https://blog.jfedor.org/2020/09/usb-rubber-ducky-with-mouse-input.html or through a organization using Microsoft InTune to set Security policy settings.

I am just grasping at straws here, but perhaps we can make a malicious Azure Server which distributes security policies to a targeted Windows host to disable tamper protection. It would have to be part of the rubber ducky payload, either HID keyboard or mouse.

tanc7 avatar Sep 11 '21 05:09 tanc7

You Can Still Add And Remove An Exclusion Path With Powershell Using Following Commands Which I Think Is Better Than Disabling Defender. Set-MpPreference -ExclusionPath "PATH" Remove-MpPreference -ExclusionPath "PATH"

GamehunterKaan avatar Oct 23 '21 17:10 GamehunterKaan