Bypassing antimalware tactics (notes from NIC conference)

In reference to my talk at Nordic Infrastructure Conference 2017: “Look under the hood: bypassing antimalware tactics and infrastructure response methods” I am sharing slides, tools and some extra step by step on how to elevate from regular user to the localsystem.

Slide deck from my session at NIC Conference 2017: “Look under the hood: bypassing antimalware tactics and infrastructure response methods”.

Tools from the NIC conference session

Here you can find the most important tools I used during the session!

>> Get the tools from this session <<


Antivirus is dead-long live the antivirus! In the proverbial cat-and-mouse game of cybersecurity neither the attacker nor the defender can maintain their advantage for very long. But the bad guys don’t exactly take this challenge – they respond with their own bypass ideas. During this session, we strive to understand if antivirus is really dead and if it has reached the status where it should not be the only protection used. I demonstrated techniques of bypassing the antivirus mechanisms and show tactics used today by malware that allow it to run and what are the prevention methods to avoid being attacked by the newest innovations.

Elevation from regular user to the localsystem

One of the interesting and somewhat magical steps during our session was an elevation from regular user to the localsystem. Of course, in properly configured and patched system it should not be possible but we used a bug MS16-032 fixed by Microsoft in March 2016.

The bug relies on how handles are handled (we love such geeky word plays) in multiprocessor systems including Windows 10 and Windows Server 2012 R2. So if you did not patch your system during last 6 months you are probably vulnerable too. We have chosen this bug for our demonstration not only because it is usually working but also because it may be exploited with pure PowerShell. We relied heavily on FuzzySecurity code published in GitHub.

The code for the elevation is wrapped into one function we called “Elevate-Cmd”. If you declare this function (you can do just copy&paste from the code below to your PowerShell or ISE window) you can later use it for example by typing “Elevate-Cmd net localgroup administrators fkrueger /add”. Please do remember that parameters are sent to cmd.exe so if you plan to use internal commands like dir, type, echo etc. you should prefix them with /c: “Elevate-Cmd /c dir c:\users”.

Looks scary? For us as well. So if you think it about fixing it refer to KB3143141 (LINK)

And here comes the function

If you have any questions or comments post them below! It was my pleasure to make these sessions at the another Nordic Infrastructure Conference. The previous blog posts you can find here.