Otra forma de saltar la detección de McAfee

Nos encontrábamos en medio de un penetration test en la cual habiamos obtenido la administración completa de un servidor Windows.

Estamos buscando formas de sacar mas información de este servidor y queríamos aprovechar la técnica pass-the-hash desarrollada por Hernan Ochoa para obtener NT/LM hashes de la memoria.

Mas info: Windows Credentials Editor v1.2

El problema es que este servidor estaba corriendo McAfee VirusScan Enterprise ver. 8.7i el cual detectaba la tool wce.exe como maliciosa.

Para poder deshabilitar los servicios del antivirus es necesario conocer un password administrativo.

En versiones anteriores era posible blanquear ese password modificando los valores del registro UIP en (1) HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DesktopProtection or (2) HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Entreprise\CurrentVersion

Actualmente no se pueden modificar esos registros debido a permisos que fueron agregados despues que salga la vulnerabilidad

Pero encontramos los registros “HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VSCore\On Access Scanner\Configuration\Default\ExcludedItem_X”

Algunos excluded path por default "c:\inetpub\mailroot\", "c:\program file\exchsrvr\schema", "%systemroot%\IIS Temporary Compressed"

Simplemente tirando nuestros binaries en cualquiera de los directorios nombrados en ExcludedItem_X haciendo uso de la funcionalidad que McAfee nos ofrece logramos ejecutar cualquier binario y finalmente obtener nuestras ansiosas hash.

Espero que les sirva por si se topan alguna vez con este antivirus, seguramente la técnica debe ser aplicable a otros antivirus.

Saludos

Another way to bypass McAfee detection

During a penetration test we obtained the complete administration of a Windows server.

We were looking for a way to get more information on this server and wanted to use the technique pass-the-hash developed by Hernan Ochoa to get NT / LM hashes from memory..

More information: Windows Credentials Editor v1.2

The problem is that this server is running McAfee VirusScan Enterprise version 8.7i tool which detects wce.exe as malicious.

To disable the antivirus service is necessary to know an administrative password.

In previous versions it was possible to disable the password by modifying the registry value UIP in (1) HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DesktopProtection or (2) HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Entreprise\CurrentVersion

Today you can not change the registry because of permissions added after the following vulnerability

But we found the following registries “HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VSCore\On Access Scanner\Configuration\Default\ExcludedItem_X”

Some of them are excluded path by default "c:\inetpub\mailroot\", "c:\program file\exchsrvr\schema", "%systemroot%\IIS Temporary Compressed"

Simply we put our binaries in any of the directories named in ExcludedItem_X using the functionality that McAfee offers to run any binary, and we finally got our needed hash.

I hope you need it if you ever come across with this antivirus, surely the technique should be applicable to other antivirus.

Have fun!