When penetration testing, and targeting Windows systems, writing some executable content to the file system is invariably required at some stage. Unfortunately today, the antivirus vendors have become quite adept with signatures that match assembly stub routines that are used to inject malware into a system. The A/V guys will also pick up on common service executable files such as being used with Metasploit’s bypassuac. Let’s face it, we still need to write stuff into temp directories from time to time.
Mark Baggett, and Tim Tomes recently presented some nice techniques on hiding malware within Windows volume shadow copies (http://www.irongeek.com/i.php?page=videos/hack3rcon2/tim-tomes-and-mark-baggett-lurking-in-the-shadows). Since it is unlikely for A/V products to be able to scan volume shadow copies, and the capability to create a process from a volume shadow copy using ‘wmic’ exists, then we would likely want to follow this sequence of tasks during a test:
a) Disable the A/V product of choice.
b) Upload our favorite/useful executable content. (perhaps a reverse TCP meterpreter shell or similar)
c) Upload Mark and Tim’s excellent vssown.vbs script
a. Enable service and create volume shadow copy.
b. Disable volume shadow copy service.
d) Delete our favorite/useful executable content and modified timestamps accordingly assuming we want to be somewhat stealthy.
e) Execute our content from the volume shadow copy using ‘wmic’ using the excellent vssown script, or just through ‘wmic process call create’.
The challenge presented is whether we can effectively disable the antivirus product of choice. Listed below are some possible techniques for three popular products which may get us what we need. None of these techniques are stealthy from a user interface perspective. Otherwise said, Windows security center and the A/V tray executable files themselves will try to inform the user that something is broken when we proceed with these recipes.
1. Grisoft’s AVG
Using the 2012 Freeware version, I note the following information about AVG. Services running are the AVG watchdog (avgwd), and the AVG IDS agent (avgidsagent). The running processes are as follows: avgidsagent.exe, avgwdsvc.exe, avgemca.exe, avgrsa.exe, avgcsrva.exe, and avgnsa.exe. The watchdog process is very persistent at restarting things, is not killable, and neither is the service stoppable.
a. Rename the binary files in %systemroot%\program files\avg\avg2012\ as follows.
C:\> cd %systemroot%\program files\avg\avg2012
C:\> move avgcsrva.exe avgcsrva_.exe
C:\> move avgemca.exe avgemca_.exe
C:\> move avgnsa.exe avgnsa_.exe
C:\> move avgrsa.exe avgrsa_.exe
b. Kill the running processes simultaneously with a one line (wildcard powered) wmic command.
C:\> wmic process where “name like ‘avg[cenr]%.exe’” delete
c. The watchdog service will to restart all of the binaries but fail.
ENABLING: Rename all of the binaries back to their original names, and the watchdog process will take care of the rest.
2. Microsoft Forefront
The service name is “msmpsvc”, and the running processes are msmpeng.exe, and msseces.exe, one being the engine and the other being the GUI reporting/configuration tool respectively.
DISABLING: kill the GUI tool and stop the A/V engine service.
C:\> wmic process where name=”msseces.exe” delete
C:\> sc stop msmpsvc
ENABLING: start the A/V service engine, and start the GUI process.
C:\> cd \Program Files\Microsoft Security Client
C:\> sc start msmpsvc
3. Symantec Endpoint Protection
The services running are ccEvtMgr, ccSetMgr, smcservice, and “Symantec AntiVirus”. The processes that matter are smb.exe, and smcgui.exe.
DISABLING: kill the processes, and stop the services. I found that the event manager (ccEvtMgr), and settings manager (ccSetMgr) service can remain running without any impact.
C:\> wmic process where “name like ‘%smc%.exe’” delete
C:\> sc stop smcservice
C:\> sc stop “Symantec AntiVirus”
ENABLING: restarting just the smcservice will start everything else back up again.
C:\> sc start smcservice