Skip to content

Stop Defender Service using C# via Token Impersonation

Notifications You must be signed in to change notification settings

dosxuz/DefenderStop

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

StopDefenderService

This is a C# project to stop the defender service using via token impersonation

Methodology

The WinDefend process can neither be stopped an admin with high privileges nor as the SYSTEM. But it can only be stopped with the privileges of the TrustedInstaller group.

In this technique, we first steal the token from the WinLogon service, and escalate to SYSTEM integrity. Then we steal the token from the TrustedInstaller service and impersonate it. This will finally allow us to stop the WinDefend service.

Attack Flow

The following is the diagram of the attack flow. (Source: Original Blogpost).

Apart from the original functionality, we have also added the Enable Debug Privilege feature, which sets the debug privilege too.

References

About

Stop Defender Service using C# via Token Impersonation

Resources

Stars

Watchers

Forks

Packages

No packages published

Languages