So where do you start? Off course there are not “right” answers for this, but this my recommendation. Start from a “Defenseless System” to get familiarized with your infrastructure. If you are going to a build a Radio Network, test it without “Electronic Warfare” Around it. If you are going to target a vehicle, target it first while is not a moving target.
So first order of Business is to Understand all the Components of Windows Defender, and disable them completely. This knowledge will be valuable later in the future, should you wanted to Impair Defender Functionality Completely or Partially.
Kill the Defender.
You want a base system with no defenses, to test if your infrastructure works. There are multiple methods to disable all defender functionality. Below is a non-extensive list of projects that attempt to do this.
- https://github.com/ionuttbara/windows-defender-remover
- https://github.com/swagkarna/Defeat-Defender-V1.2.0
- https://github.com/wavestone-cdt/EDRSandblast
I will be investigating if this project works on the latest versions of Windows 10, and 11 and update the techniques accordingly. The more interesting problem is how to write a test automation hardness to validate if this method continues to work on newer versions of Windows 11, but given the frequency they are released this process could be semi-manual with a notification when a new major version is released.
An interesting approach mentioned on https://github.com/ionuttbara/windows-defender-remover is to create an ISO, without Defender, to be used in setting up Machines Faster in a Lab that dont have defender.
rothoma2 Blog 
Leave a comment