daniel/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2026-06-16 15:59:24 +00:00
Code Issues Projects Releases Wiki Activity

updates and moves

Browse Source 
n/a
This commit is contained in:
vxunderground
2022-04-11 20:00:13 -05:00
parent 1275ea2e03
commit 900263ea6f
809 changed files with 149115 additions and 1594 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Win32/Proof of Concepts/StopDefender/README.md
+19
View File
@@ -0,0 +1,19 @@
# StopDefender
Stop Windows Defender programmatically using Steal token from TrustedInstaller and winlogon processes.
![](Img/TI.png)
One button stop action, no need for supply commandline options nor pid. Usefull for integration with Post Explotation frameworks.
![](Img/TIexec.png)
# Blogpost
https://www.securityartwork.es/2021/09/27/trustedinstaller-parando-windows-defender/
# Credits
* https://github.com/slyd0g/PrimaryTokenTheft
* https://posts.specterops.io/understanding-and-defending-against-access-token-theft-finding-alternatives-to-winlogon-exe-80696c8a73b
* https://www.tiraniddo.dev/2017/08/the-art-of-becoming-trustedinstaller.html
* https://docs.microsoft.com/en-us/windows/win32/com/impersonation-levels
* https://halove23.blogspot.com/2021/08/executing-code-in-context-of-trusted.html
* https://docs.microsoft.com/es-es/windows/win32/api/winsvc/ns-winsvc-service_sid_info?redirectedfrom=MSDN