🛡️

Bypass Technique for Disabling Tamper Protection in Windows

Jul 16, 2024

Bypass Technique for Disabling Tamper Protection in Windows

Introduction

  • New technique to disable tamper protection in Windows.
  • Allows disabling antivirus for executing malicious actions.
  • Not always about stealth; useful in scenarios where stealth is not a priority (e.g., ransomware).

Scenario

  • Attacker deploying ransomware doesn’t need to be stealthy.
  • Ransomware encrypts files, holding them for ransom until payment.
  • The goal is to disable tamper protection, thus allowing the disabling of antivirus.

Lab Environment Setup

  • Created a lab to demonstrate the technique.
  • Tamper protection prevents programmatic disabling of antivirus.

Demonstration

  1. Initial Setup

    • Virus & Threat Protection: Real-time protection and tamper protection ON.
    • Tamper protection prevents simple PowerShell commands from disabling antivirus.

  2. Understanding Tamper Protection

    • Tamper protection is enforced by the kernel driver WD filter.is.
    • This driver is loaded on system startup.
    • Disabling tamper protection requires unloading or crashing this driver.

  3. Bypass Technique Overview

    • Identified by Munaf Sharif (alteredsecurity.com).
    • The technique involves deleting the altitude key in the registry to crash the WD filter driver.
    • Without the key, the driver won't load on system startup.

Steps to Bypass Tamper Protection

  1. Checking Permissions

    • WD filter.sys is located in C:\Windows\System32\drivers.
    • Trusted Installer has full control, not system user.

  2. Impersonating Trusted Installer

    • Tools: ntdutil or PSExec.
    • Spawning command prompt as Trusted Installer to modify registry.

  3. Deleting Altitude Key

    • Use elevated prompt to delete altitude registry key.
    • reg delete command for the altitude key.
    • Successful deletion allows disabling tamper protection on next reboot.

  4. Reboot & Disable Tamper Protection

    • Reboot system to prevent WD filter driver from loading.
    • Add registry key to disable tamper protection.
    • Reflect changes upon another reboot.

Verification

  • Even without GUI reflection, command confirms real-time protection is OFF.
  • Successfully downloaded and ran MimiKatz (usually flagged by antivirus), confirming antivirus is indeed disabled.

Conclusion

  • Technique useful for situations where stealth isn't necessary (e.g., ransomware attacks).
  • For additional guidance or contracting opportunities, contact via Instagram (@ElevateCyber).
  • Elevate skill set with advanced techniques to succeed in cybersecurity field.

Full transcript