Defender is enabled in win10 machine (Proxmox)

[leitosama]

• Operating System Version: Debian
• Deploying via : Proxmox
• Vagrant Version (if applicable): not applicable (proxmox using packer+terraform+ansible)

Building from master (commit 8fffa0e9840fc6f2a1bea7844a0ec5a6cd3754b8)

Description of the issue:

While configure the win10 host with Ansible, Red Team toolkit is not installed:

{"changed": true, "cmd": ".\install-redteam.ps1", "delta": "0:00:11.576824", "end": "2022-01-18 18:56:50.010227", "failed_when_result": false, "msg": "non-zero return code", "rc": 1, "start": "2022-01-18 18:56:38.433403", "stderr": "The scheduled task 'Invoke-CommandAs Task' failed with result code 1.\r\nAt C:\vagrant\scripts\Invoke-CommandAs.ps1:28 char:9\r\n+ throw \"The scheduled task '$TaskName' failed with result code ...\r\n+ ~~~~~~~~~~~~~\r\n + CategoryInfo : OperationStopped: (The scheduled t... result code 1.:String) [], RuntimeException\r\n + FullyQualifiedErrorId : The scheduled task 'Invoke-CommandAs Task' failed with result code 1.", "stderr_lines": ["The scheduled task 'Invoke-CommandAs Task' failed with result code 1.", "At C:\vagrant\scripts\Invoke-CommandAs.ps1:28 char:9", "+ throw \"The scheduled task '$TaskName' failed with result code ...", "+ ~~~~~~~~~~~~~", " + CategoryInfo : OperationStopped: (The scheduled t... result code 1.:String) [], RuntimeException", " + FullyQualifiedErrorId : The scheduled task 'Invoke-CommandAs Task' failed with result code 1."], "stdout": "[18:56] Installing Red Team Tooling...\n", "stdout_lines": ["[18:56] Installing Red Team Tooling..."]}

When I tried to run Red Team toolkit I found out that Red Team toolkit is detected and deleted by Defender AV. So I think that Packer configuration do not disable Defender properly.

[JustasZab]

Having the same issue here:

Seems related to this

How does configuring tamper protection in Intune affect how I manage Microsoft Defender Antivirus with Group Policy? Group policy doesn’t apply to tamper protection. Changes made to Microsoft Defender Antivirus settings are ignored when tamper protection is on.

What happens if I try to change Microsoft Defender for Endpoint settings in Intune, Microsoft Endpoint Configuration Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device? You won't be able to change the features that are protected by tamper protection; such change requests are ignored.

EDIT: from looking into this, I couldn't find a method to disable it with powershell, so not entirely sure what could be the solution other than disabling it via GUI and then rerunning provisioners. Otherwise, Packer could use an older image without tamper protection.

[clong]

So, this is handled on the non-Proxmox DL deployment via this code: https://github.com/clong/DetectionLab/blob/master/Vagrant/scripts/install-redteam.ps1#L17-L20

See this PR for more info: https://github.com/clong/DetectionLab/commit/2c227241019467f3a52458cde2915c2de3b714a0

I'm guessing this workaround only works on very specific versions of Win10 -- it looks like vanilla DL is using 19h2 and Proxmox is pointing to 19h1: https://github.com/clong/DetectionLab/blob/master/Proxmox/Packer/windows_10_proxmox.json#L38

Try changing the proxmox ISO and checksum values to the values shown here and see if that works? https://github.com/clong/DetectionLab/blob/master/Packer/windows_10.json#L193