Another way to bypass McAfee detection

During a penetration test we obtained the complete administration of a Windows server.

We were looking for a way to get more information on this server and wanted to use the technique pass-the-hash developed by Hernan Ochoa to get NT / LM hashes from memory..

The problem is that this server is running McAfee VirusScan Enterprise version 8.7i tool which detects wce.exe as malicious.

To disable the antivirus service is necessary to know an administrative password.
In previous versions it was possible to disable the password by modifying the registry value UIP in (1) HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DesktopProtection or (2) HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Entreprise\CurrentVersion
Today you can not change the registry because of permissions added after the following vulnerability

But we found the following registries “HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VSCore\On Access Scanner\Configuration\Default\ExcludedItem_X”

Some of them are excluded path by default "c:\inetpub\mailroot\", "c:\program file\exchsrvr\schema", "%systemroot%\IIS Temporary Compressed"

Simply we put our binaries in any of the directories named in ExcludedItem_X using the functionality that McAfee offers to run any binary, and we finally got our needed hash.

I hope you need it if you ever come across with this antivirus, surely the technique should be applicable to other antivirus.

Have fun!


Click here for comments
November 26, 2015 at 2:02 AM ×

If you must compare antivirus antivirus for free and paid, certainly in terms of better paid antivirus service. Because there are several important features in the paid antivirus will not be used in a free antivirus

industry-standard USB Cable

Selamat nancy john dapat PERTAMAX...! Silahkan antri di pom terdekat heheheh...
Post a Comment
Thanks for your comment