today we're going to explore a new bypass technique that was recently discovered to allow you to disable tamper protection in Windows so that you can then turn off antivirus and do whatever malicious actions you want to from there now first let's address a very common criticism that people probably type in the comment section and they'll say oh this is not stealthy this will set off alarms this will make you detected and and this and that yeah it will but here's the thing that the best attackers know it's not always about Stealth you know there's times where stealth is actually very important in those cases you wouldn't want to use a technique like this but there are certain situations where you either don't care about Stealth or you're willing to take the risks based off of maybe some Recon you've done and things like that now imagine this scenario imagine that you are a malicious attacker you're an AP right and you want to deploy ransomware against a a target maybe you're actually spraying this out across the internet just seeing like what company's employee might click on it and seeing where you can get your Ransom you don't care where it fails you just need to succeed one time or even if you're targeting an organization the reality is this ransomware by definition doesn't care about stelf because they want you to know hey we've hacked you and now pay us money or you're not going to get your files back and by the way if you're not familiar with ransomware basically it is a type of malware where it encrypts all the files on your system and basically locks them out of their own data and it basically has a popup that says hey pay us money if you want to be able to get your files back and they hold them for ransom obviously in something like that you're not trying to be stealthy you're trying to be the opposite of stealthy you're trying to let them know like hey we hacked you what are you going to do about it so let's jump into this lab enough talking here so this is based off of something that I posted recently on my Twitter and if you're not following me on Twitter definitely go ahead and give me a follow I haven't been too active on here so I don't have too many followers yet but I'm I'm building that up I'm going to be posting a lot more high value stuff and uh looking to incorporate it in some technical videos let me know if you guys like this format so sector 7 posted this one here uh it was a repost of a a blog post on altered security.com very good Training Provider by the way this one was by munaf Sharif so credit goes to him I did not come up with this technique and definitely I'll link this to you guys you can check it out I recommend to actually read the full article they actually have a POC tool I'm going to be showing you manually how to do this uh bypass technique so first of all I have a lab environment that I created for this here and just to kind of showcase tamper protection we're going using some tools here so we'll preview there but um if I look here at my virus and threat protection going to manage settings we can see that realtime protection is on essentially antivirus is turned on and this is the one here tamper protection is on now the only way that you can disable tamper protection by default is to without doing any crazy hacking is to just click in the guey now if you're deploying ransomware or something programmatically right through a script or something unless you use a technique like this go or go deep down into the kernel level there's no way that you can disable tamper protection without having access to the graphical user interface here so that would be a problem for ransomware right now a lot of times ransomware will use like um antivirus bypass techniques and things like that but showcase this here right here's a simple command and we imagine that we've hacked this uh server and we have admin rights on the system that'll that'll be a prerequisite for this technique this is a simple Powershell command that I can run to disable realtime protection disable antivirus now notice I ran this but nothing happened why well because tamper protection is enabled so I cannot programmatically you know simply with a power shell command or something like that disable empty virus if I turn tamper protection off it may not reflect in the goey but I am actually able to disable H here we go yeah you can see this here that it's now turned off it made a beeping noise at me as well and uh yeah you see real time protection is turned off so tamper protection is what prevents an attacker just from doing it programmatically in a simple way like this right so that's just to Showcase what that does let's go ahead and turn this back on for our lab environment now I'm not going to go through every step of this he he kind of deres how he was able to discover this through his research and I would definitely recommend to give this a read once again but basically the way that tamper protection works is there is a kernel driver called WD filter.is that is loaded on system startup that is what is preventing you from disabling antivirus whenever temper protection is enabled and he actually goes as far as to look at the uh you know reverse engineer the kernel driver by going into kernel mode with wind debug and looking at the actual the disassembly so you can see here that he identifies there's this thing called altitude number basically parameters that are that are set when this thing gets loaded and so there's a loading and unloading is how the drivers works when you load the driver it does something when you unload it it does something essentially just to keep things as simple layman's terms as possible right you can see the diagram here that it may be possible to crash you know he thought what if we crashed this driver so we can crash or stop the WD filter by deleting this altitude key uh then the next time you go to Startup the system and because remember this runs on Startup it's going to not be able to load prop it's not going to even try to load I should say because it's going to say hey the altitude key is missing so we're not going to try to load WD filter. Cy so if that driver is not running then tamper protection is not going to be enabled anymore and that's the basic idea so we want to crash uh WD filter and then we want to restart the system so that the system starts up and the WD filter. Cy does not run on Startup because that key is missing that is the basic premise behind it so we can look at the permissions on WD filter you can do this programmatically or through the guey I'll just show you guys on the guey right so wdfilter.sys is a file that is located in C drive Windows system 32 folder drivers folder you can search it up because there's a lot of files in this folder so I'll type WD filter and we see WD filter. CIS if I right click on this make sure it's selected first go to properties and security we can see the different permissions if I click Advance it's a little easier to see here we can see that um the only user in our case and in the writeup it was a little bit different I believe system had full control in our case only trusted in installer has full control so we will need to impersonate The Trusted installer principle in order to gain full access to make whatever modifications we want to this driver so in order to edit the registry key or delete the altitude registry key we will need to impersonate The Trusted installer this is something that is possible if we have admin access on the server that's why I said that is a prerequisite and we can use a number of tools to do this we can use um PS exac nudu I'm sure there's several others as well that I may not be aware of but I'm going to use nudu in this case uh in order to do that so first step is let me go ahead and spawn a command prompt as the administrator user and depending on your version of Windows you know system might have full access so if you look in his case system had full control so in that case you can impersonate the system account so I am going to you know I have nudu on this system already what I'm going to do is go into the launcher 64 I'm going to copy this path here and let's go into this path and I'm going to run this command though I will need to make a modification to it so first of all let me remove this quotation and the user s would be for system we want to do T for trusted installer so now we've spawned a command prompt as The Trusted installer user which it will just show as systems if I run like who am I it will show system but we're actually running as The Trusted installer and from here we can simply delete the registry key using this command here from the blog post so do that and this is what we're looking for here operation completed successfully if I Tred to do this as system it would give us like a access denied reasonably assume that was successful now like I said we need to reboot the server so that it tries to you know it skips uh loading that driver because right now that driver is loaded still so easiest way is just doing a restart on the system we going have to give this some time to restart we should see that the uh WD filter kernel mini driver fails to load on the next reboot and that is because once again the altitude registry sub key has been deleted and that breaks its functionality and the driver initialization and if that is the case as we'd assume then we can disable tamper protection with this next uh adding this registry key here all right I have now logged back into the server and from here I can copy this command but we can also see that it was disabled here or not disabled but rather it did not actually start up as you can see here and now we can just copy this command registry add we're going to add this reg key which will disable temperary protection and if you get an access denied that is because you need to do that in the elevated shell as the system or trusted installer user so in order to do that let's just fire up andu again uh oops wrong folder launcher and right get the elevated prompt and then from the elevated prompt we will attempt to delete the registry key or add the registry key which will disable temper protection so that's what we're looking for operation completed successfully now here's the thing it will not actually reflect in the gooey right away so if I look at the virus and threat protection it appears that everything is enabled at this time including tamper protection and everything but really that is not the case so if I go and I restart the server again it should uh update so if I reboot this again it should update to show that once again it's not going to reflect in the guey and we can do this one as well which will disable scanning for download files or attachments and now we can confirm even though it doesn't show until we reboot like I said we can run a command to um to see the status here is it it's uh MP computer status uh I always forget this command let's see if I can I can bring it up yeah get MP computer status this command here will show you the state of the antivirus so we take a look at this and what we're looking for is the field that says real time protection enabled so false meaning it's off so this is what I was saying was kind of interesting you can see this will be up to date but in the guoy it shows that real prot uh real time protection is on when actually it's not and tamper protection it shows is on but obviously it's not because we're able to disable it programmatically so it's weird that that even in the command line that doesn't update until you reboot the server I suppose but just to kind of prove that this is off right we can test this let's download a program that's definitely flagged by antivirus right so Let's uh let's try to download Mimi cats like that one you know if you can download MIM cats then you know the antivirus is not running properly so let's see here we'll go into 64 and we'll just download mimic cats. exe so download and it'll probably get blocked by Defender smart screen which is a separate thing by the way Defender smart screen is um a separate protection so we would expect that so let's just like bypass that there's ways to bypass um this as well for another video maybe but we can see here that we're able to to run it right and so if antivirus is on it would be screaming about MIM cats being on the system and I'll move this to another folder for example uh so yeah you can see MIM cats here let me just rename this really fast and just to show you like I run the program then it should be scanned dynamically and it should definitely be detecting it but nothing happens right and that's because uh well we have disabled antivirus so yeah if you're interested in learning more techniques like this as you level up and definitely that's what you need to do in order to get into this field today it's not enough to just have like OSP and some basic stuff that thousands of other people have on their resume so you want to keep elevating your skill set if you want to path along with that maybe some some guidance some advice on how you can get into the field and I'm also giving out um freelance contracts by the way for people that uh go through my program so send me a DM to my Instagram at Elevate cyber and we can get you some guidance get you on the path but uh thanks for watching I'll see you guys in the next video