Disabling Defender With Viss Episode 1 - Hak5 2416
Рет қаралды 66,595
Күн бұрын
@gabyi3646 6 жыл бұрын
I love the knowledge Viss shares in these videos but i also REALLY appreciate that there is always another host! I feel like im learning WITH them
@chrisvighagen 6 жыл бұрын
I'm a simple man, I see Viss, I click.
@wolfgonzalez8446 4 жыл бұрын
" I lost a lot of good malware that way" Me too! 😂
@MexieMex 6 жыл бұрын
Two people who both know the subject well talking about technical stuff, we need more of this on the internet!
@Oper8or 6 жыл бұрын
Simple and easy, but.. using PS to traverse other available resources. It offers... more options. Like checking to see if its alive, whats available, what shares are up, who is accessing them, etc. Excellent vid guys.
@cliftoniamonophylla9171 6 жыл бұрын
great vid. always love seeing the stuff you do with @viss. Maybe he could have his own segment on the show?
@nitemareglitch 6 жыл бұрын
Alex Clifton Viss could have a few seasons of amazing. He da man.
@Cygnus0lor 6 жыл бұрын
He kinda does now...
@devanshkanda9618 2 жыл бұрын
Man that was 🔥🔥🔥 . Thank your for sharing this knowledge 🙏❤️❤️ Love from an upcoming cyber security engineer ❤️
@ripmeep 6 жыл бұрын
Really cool video. I'm starting to challenge myself by writing my own exploits and this channel is so good
@buerger3 6 жыл бұрын
Yes there is just one problem with this method, a normal user without administration rights can not deactivate defender. (At least not with this method shown ahem ;) ) And most of the bigger companies do not give their Bosses domain- or local admin privileges and have at least a two factor authentication for their external access to their environment.
@TheAceTroubleshooter 6 жыл бұрын
Ones with decent tech employees.
@JonathanGray89 6 жыл бұрын
@buerger3 Yeah and most people read the terms and conditions before clicking "I Agree" lol (jk)... If best practices were followed even half as much as they should be then hacking wouldn't be nearly as much of a thing.
@s1231-b2g 6 жыл бұрын
Exactly. We in the corporate world pretty much figure every user will expose themselves at some point as a vector. We protect by not giving anyone any admin rights and not relying on a built in Microsoft product to protect against viruses. Use something that has its state monitored so a disabled AV client is identified n the spot. Even Admins only use an admin accounts when needed. Otherwise no rights on daily used login. Good tutorial here but on a domain properly managed the commands would fail for most of these attempts. Source- been doing this since before Windows was a thing and we hacked across VMS to get to the ‘internet’. Love hak5.
@peregrinusoblivione4967 6 жыл бұрын
He does this for a living. I'm sure he knows the system privileges of upper management more than you do.
@WylieBayes 6 жыл бұрын
Based on the arguments you give Unicorn, it creates a metasploit .rc file along with the powershell_attack.txt file, for launching via msfconsole -r unicorn.rc. Rather than creating your own multihandler by hand with potentional for mistakes / typos it's easier just to use the RC file created by Unicorn.
@zachhockey 6 жыл бұрын
I love Viss. Kudos for having him on!
@CyberTeckyLLC 6 жыл бұрын
AHHHH! 'Master Phobos' has a vps in NL! Always love good ole' 0p$3c...Quick request for future episodes, share notes when able. Love the effort...Keep up that great work!
@joebrown1897 6 жыл бұрын
From looking at the DOS box window, it looks like local admin is required for these attacks. So, if the local user does not have admin rights, then these attacks would fail - correct?
@GabREAL1983 6 жыл бұрын
probably right, it's just another tactic wich is also fine.
@rajivgovind305 6 жыл бұрын
Yes
@joebrown1897 6 жыл бұрын
Thank you. I was just wondering, as I was trying to evaluate the risk from this type of attack.
@feola69 6 жыл бұрын
same thing i thought. Reason 1002 we don't give users local admin privileges. "I cant install any programs!" I wish i could homie.
@over00lordunknown12 6 жыл бұрын
Teacher: "Class, did you all study for the test?" Me: 2:30
@iJamezz 6 жыл бұрын
Great video! Loving it! I really like Viss, he is super interesting to watch. Keep it up hak5
@gunslingerfourtysix 6 жыл бұрын
Where are the powershell scripts in the show notes ??? and the pastbin page for reference ?
@gunslingerfourtysix 6 жыл бұрын
Set-MpPreference -DisableRealtimeMonitoring $false Set-MpPreference -DisableRealtimeMonitoring $true
@izatt82 6 жыл бұрын
This is exactly why previous good sys/net admins can be scary good on the red team. All this post ex is already in their wheel house.
@bana2s 6 жыл бұрын
The way the asymmetric situation gets reversed once the red team "gets in" is exactly why I've been saying for some time that blue teams need to spend at least as much time, if not more, on detection as on vulnerability remediation. There's always a new exploit, but what attackers do once they're in is often very similar from one breach to the next.
@pberson 6 жыл бұрын
Thanks for introducing me to Empire
@TheAnalystradioprogram 6 жыл бұрын
This is geek nirvana. I could watch these two talk all day.
@tzisorey 6 жыл бұрын
"Imagine you're Mario, and you're undeer a million Bowsers, and you immediately lose as soon as you hit Start" ...Someone's been playing 100-life Super Expert on Super Mario Maker...
@anonymoushacker2860 3 жыл бұрын
in 6:49 you can see downright below windows defender if been turned off in target's computer .That means they are fooling the people
@Arachnoid_of_the_underverse 6 жыл бұрын
So rather than do these commands by hand can you not automate them or are you having to inspect the response each time to vary the attack vector?
@StephenCombs17 6 жыл бұрын
Viss, Great Video. One question regarding the lateral movement and dropping defender and AMSI. Would you really want to do this in a pen test engagement? I realize we need to in order to pwn the network but this also leaves the client extremely vulnerable during the engagement. Just trying to strike the balance how far down the rabbit hole we should go. I guess we could take a bunch of quick screenshots and then turn it all back on? Any suggestions would be greatly appreciated.
@dhaiwatmehta2323 6 жыл бұрын
11:44 we can easily say that they are windows pc by looking at TTL its 128 in both pings that defines that this is a windows pc
@bana2s 6 жыл бұрын
Can't tell you how many times I've heard variations of "We are mighty developers, we don't need lowly sysadmins!".
@TheElijahMinistries 6 жыл бұрын
Very Groovy!!! The Root of All Shade from The Tree of Life!
@Dbently2g 6 жыл бұрын
This is interesting, I can not figure out why my Defender is always turned off on startup when I haven’t disabled it
@SecretLetters 5 жыл бұрын
Disabled tamper protection!? How dare you sir...how dare you...
@dadquestionmark 6 жыл бұрын
The sound is just slightly offtrack with the video, and it's really frustrating lol. But great video!
@darkchi1d1 6 жыл бұрын
I need more of this and more viss
@stanly720 6 жыл бұрын
can someone tell me why I don't get agents with empire over WAN? I really wanna use Empire but its basically impossible when I can't even get agents unless they're on my network :(
@grosgogogogt 3 жыл бұрын
ok so but how can i add the command to turn off devender inside the exploit because the victim of attack won't deactivate his antivirus like that
@Canadian789119 6 жыл бұрын
How would you do that to a machine without windows Powershell. Assuming defender is already off.
@themightyquinn1343 6 жыл бұрын
Sorry for my ignorance, I am really new to all of this, but I'm curious what exactly is "secret" about an RDP connection. Is it a special kind of server you're accessing? are we assuming this is happening when nobody is around to see someone has logged in? I think this is cool, yes, but it seems pretty impractical in many scenarios, and a lot of assumptions seem to be necessary
@mototodd 5 жыл бұрын
ExCept Windows Events were being sent to a SIEM and the Blue Team saw every time you turned Windows Defender off.
@dhaiwatmehta2323 6 жыл бұрын
can you please share that text file... that one with cmd commands
@marlmyster 6 жыл бұрын
I just thought of a Attack... with USB-C that doubles as a Charge port, Windows ACPI or Mac OS may/can be exploited... I'm a Script Kiddie... so I don't know as much, so add your two cents?
@logiciananimal 4 жыл бұрын
Defender-off-via-commandline if the account exploited is an administrator, no?
@dix6081 5 жыл бұрын
Now the one thing Is like to know is how to restore the antivirus definitions and such
@mototodd 5 жыл бұрын
Can you do this demonstration with some form of Enterprise Antivirus running like Mcafee, or Norton?
@Mr.WhiteBeard 6 жыл бұрын
Please make tutorial how to make back connect proxies. Thanks
@medioclick 6 жыл бұрын
Good vid, I like viss tutorials...
@eaglefn4918 6 жыл бұрын
To turn Defender off, you need administrator privileges. Why to use Empire and all this stuff, if you have local password from an administrative user and access to the rest of the network? I cannot see a point in this video.
@s1231-b2g 6 жыл бұрын
eaglefn - you are correct. For a properly secured system you wouldn’t get very far with these attempts. I think the point is that most systems are not secured properly and these are ways to navigate a network without drawing attention to your presence. That said it’s a good lesson in learning how not to leave your systems vulnerable to attacks.
@bufordmaddogtannen 5 жыл бұрын
Because the active RDP session can be seen by authorised users; the legitimate user may try to connect to it; there could be a limit on the number of available sessions, and so on... By deploying a shell, RDP can be avoided, and the attack has more chances to go undetected.
@djosearth3618 5 жыл бұрын
Just used for the secs ;]
@xyamin9666 6 жыл бұрын
can someone give me the command line to stop the defender?
@dhaiwatmehta2323 6 жыл бұрын
what if attacker uses the decoy ... will blue team able to detect that ???
@nitemareglitch 6 жыл бұрын
Also I am watching you on your Mac and not using Sublime. Sadness was had.
@transient_trader 6 жыл бұрын
He who hasn't used sublime, isn't sublime. Probably why Viss couldn't type.
@TestinggroundOrg 6 жыл бұрын
The problem with telling people not to have strong opinions about things they don't understand is that they think they do understand. Nobody ever thinks what they know is wrong.
@JonathanGray89 6 жыл бұрын
The only truly indisputable fact is that we can deduce what we think are facts based on our own perceptions. The people who are most likely to find the real answers are the ones spending time looking for them, not just arguing about them.
@TestinggroundOrg 6 жыл бұрын
I've been fooled by my own perceptions more than once. ;-) I believe I think, therefore I am. That is only my opinion, but can you prove me wrong?
@-a6833 6 жыл бұрын
I don't think the problem was the quotes, but that you don't spell powershell powerhshell xD
@nitemareglitch 6 жыл бұрын
Ahhh I love you both!!
@iblandmenintealltid 3 жыл бұрын
your videos are awesum
@ac130kz 6 жыл бұрын
I literally deleted Defender folder using my Ubuntu, so it won't take 100% of my laptop resources. Lmao
@FarGamingOfficial 6 жыл бұрын
Awesome!
@NasheAbraham 6 жыл бұрын
who else remembers the time they were on 'The Tube'
@mohammadabdussamad2258 6 жыл бұрын
Beautiful ...🙂
@chriswasser33 6 жыл бұрын
Try this with InTune enforcement. Good luck.
@firstnamelastname2208 6 жыл бұрын
Shannon looks kinda weird this episode
@Alaskizs 4 жыл бұрын
You need to start to sell your people 🤣🤣🤣 it's wold be automatical🤣🤣🤣
@sowhatsupeirik 6 жыл бұрын
This video made me realize the huge difference between a hacker/tool developer and a professional pen-tester/Red Teamer, Viss knows whats up. Darren is very pr0 l33t h4x0rs, and belive me, I know he is good, but Viss is just clearly on another level experience wise. Also, let him speak. Hugs.
@jabawack81 6 жыл бұрын
"People makes silly decision every day" and other people are exploiting them
@slackerengi2401 6 жыл бұрын
I know I rant on this a lot but why does every computer guy use a goddam mac book
@RyleZor 6 жыл бұрын
Because they're nicely polished Unix machines. Also they feel nice to use, really portable and what not.
@slackerengi2401 6 жыл бұрын
RyleZor Idk The thought of Kali or Ubuntu on a gaming laptop just appeals to me more Faster processor Upgradable ram A gpu for John the ripper Cheaper price But to each their own I guess
@wreckingangel 6 жыл бұрын
To be blunt most IT stuff really dislikes Mac hardware and thinks Mac users are kind of... cough not very tech savvy. This bias is very handy when you do recon out in the field. With a Mac Book and the right clothes you can look like just another Hipster or Designer etc. The last person someone would suspect. But for anything else Mac Books hell no :)
@izatt82 6 жыл бұрын
This guy doesn't.
@RyleZor 6 жыл бұрын
I wouldn't say that at all. A lot of developers use mac, I'm in IT and like apple products because of their stance on privacy. Most of my IT teachers also used apple products, especially the security guys. Apple is far better than Microsoft but still not a good company, just the lesser of two evils.
@firstlast493 5 жыл бұрын
14:07
@DAVIDGREGORYKERR 6 жыл бұрын
if you are going to connect to the internet please keep your firewall active and never never turn off your Antivirus if you want to want to stop your protection from going down create a script if(Windowsdefender==NULL) exec Windowsdefender.exe
@shyamkumar-kx4ld 5 жыл бұрын
Hi sir showing like this: C:\Users\Pikachu>"c:\program files\windows defender\MpCmdRun.exe" -RemoveDefenitions -All Set-MpPreference -DisableIOAVProtection $true CmdTool: Failed with hr = 0x80070667. Check C:\Users\Pikachu\AppData\Local\Temp\MpCmdRun.log for more information CmdTool: Invalid command line argument
@MajikCatSecurity 5 жыл бұрын
I am old school, rather than nano or vi I prefer pico
@volim_pare_hocu_ih_jos 4 жыл бұрын
how to become hacker where to start guys???
@neonrage93 6 жыл бұрын
Mmm. Powerhshell.
@c0ffeeman 6 жыл бұрын
Blur your eyes. BLAM! Robert Downey Junior
@y2ksw1 6 жыл бұрын
At this point it is due to say, that most large and very large companies have a proportionally inverse secure environment, due to the fact of so many people having special rights, because boss. In my history, I have seen horrific security policies, such as having very few repeated letters on private certificates of govern Certification Authorities. A break into such systems could cause a national, if not international, loss of all funds of a specific country, including banks. The reaction was: "ah, nobody will ever come in here!". I replied: "I am!" ... silence 😄
@b2crypt481 6 жыл бұрын
But seriously guys! When will Shannon and Darren host the show together again?
@GovindaGopala333 5 жыл бұрын
Is he using a mac, the keyboard is awe-full, typing is slow
Family Games Media
Рет қаралды 55 МЛН
Matt Brown
Рет қаралды 1,3 МЛН
zerodaily
Рет қаралды 468 М.