ThoughtfulDev Posted March 29, 2017 Posted March 29, 2017 Hey, i recently tried to kill the AV Processes of for example AVG. My payload had SYSTEM privileges but i couldn't kill the AV Processes which also run under the SYSTEM user. I noticed a process which ran higher than SYSTEM which belonged to AVG. Is it common thats a av has some sort of process which runs in kernel mode or sth which protects the other processes. Is there even a way to kill the av as a System user? Quote
IDNeon Posted March 30, 2017 Posted March 30, 2017 I've noticed AV processes are fickle in when they can and cannot be killed, sometimes they feed on other processes and tampering one of those locks the process. Sometimes I've had no trouble in killing an AV process that governs the uinstall security of the AV (for instance) and then turn around on a different but very similar environment, exact same AV, same OS version, and can't kill the process or make any of the changes I just did to a similar machine with same OS version and exact same deployed AV. Sometimes it's various files locking them. The most success I've seen with AVs is to shotgun blast their .sys files and take out the processes the hard way. Editing regkeys as SYSTEM can help facilitate as well. This way I've been able to disable the security features of AVs and uninstall them even when password protected, etc, without having to have the password protecting them. If you do have system level credentials to that system you can take it out. PS not sure what NT_AUTHORITY higher than SYSTEM you're referring to? If you can uninstall them without a password prompt then you've pretty much disabled the last layer of that onion which is why I mentioned yes it's very do-able. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.