Sunday, January 17, 2016

Enumerating Excluded AntiVirus Locations

Recently I submitted a PR to Metasploit for a Windows post module that was improved and landed with the help of @jhart-r7. The goal of this post module was to add the ability to quickly enumerate the "excluded" locations that are saved by AntiVirus software. These locations are sometimes created due to defaults within the product itself or are manually added by an admin of the machine. Excluded locations can be vary useful places to upload/store files that you know are likely to get caught by AV as they will not be scanned/removed from the system. The module supports file, directory, process, and extension-based exclusions for the following products (so far):

Microsoft Defender
Microsoft Security Essentials/Antimalware
Symantec Endpoint Protection

Example usage:

 Once you have a shell, run the post module.

The module indicates that Microsoft Security Essentials is installed and there are a few excluded locations configured. Lets try to upload a known malicious binary to this machine in a non-excluded location.

We can see that we successfully uploaded WCE, but when trying to execute it, AV flags and deletes it.

Now when we try to upload and execute the same binary from one of the excluded locations....

AV leaves us alone.

I suppose this could also be useful to admins who want to audit these configurations as well ;)