Lucene search
K

Windows Antivirus Exclusions Enumeration

🗓️ 06 Nov 2015 01:43:30Reported by Andrew Smith, Jon Hart <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 47 Views

Windows Antivirus Exclusions Enumeration module enumerates file, directory, process, and extension-based exclusions from supported AV products such as Microsoft Defender, Microsoft Security Essentials/Antimalware, and Symantec Endpoint Protection. The module checks for the presence of each AV product and then prints the exclusions for each product.

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  include Msf::Post::Windows::Registry

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows Antivirus Exclusions Enumeration',
        'Description' => %q{
          This module will enumerate the file, directory, process and
          extension-based exclusions from supported AV products, which
          currently includes Microsoft Defender, Microsoft Security
          Essentials/Antimalware, and Symantec Endpoint Protection.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Andrew Smith', # original metasploit module
          'Jon Hart <jon_hart[at]rapid7.com>' # improved metasploit module
        ],
        'Platform' => [ 'win' ],
        # XXX: this will work with 'shell' when the sysinfo parts are removed
        # and https://github.com/rapid7/metasploit-framework/issues/6328 and
        # perhaps https://github.com/rapid7/metasploit-framework/issues/6316
        # are fixed
        'SessionTypes' => [ 'meterpreter' ]
      )
    )

    register_options(
      [
        OptBool.new('DEFENDER', [true, 'Enumerate exclusions for Microsoft Defender', true]),
        OptBool.new('ESSENTIALS', [true, 'Enumerate exclusions for Microsoft Security Essentials/Antimalware', true]),
        OptBool.new('SEP', [true, 'Enumerate exclusions for Symantec Endpoint Protection (SEP)', true])
      ]
    )
  end

  DEFENDER = 'Windows Defender'
  DEFENDER_BASE_KEY = 'HKLM\\SOFTWARE\\Microsoft\\Windows Defender'
  ESSENTIALS = 'Microsoft Security Essentials / Antimalware'
  ESSENTIALS_BASE_KEY = 'HKLM\\SOFTWARE\\Microsoft\\Microsoft Antimalware'
  SEP = 'Symantec Endpoint Protection (SEP)'
  SEP_BASE_KEY = 'HKLM\\SOFTWARE\\Symantec\\Symantec Endpoint Protection'

  def av_installed?(base_key, product)
    if registry_key_exist?(base_key)
      print_good("Found #{product}")
      true
    else
      false
    end
  end

  def excluded_sep
    base_exclusion_key = "#{SEP_BASE_KEY}\\Exclusions\\ScanningEngines\\Directory"
    admin_exclusion_key = "#{base_exclusion_key}\\Admin"
    client_exclusion_key = "#{base_exclusion_key}\\Client"

    admin_paths = []
    if (admin_exclusion_keys = registry_enumkeys(admin_exclusion_key, @registry_view))
      admin_exclusion_keys.map do |key|
        admin_paths << registry_getvaldata("#{admin_exclusion_key}\\#{key}", 'DirectoryName', @registry_view)
      end
      print_exclusions_table(SEP, 'admin path', admin_paths)
    end
    client_paths = []
    if (client_exclusion_keys = registry_enumkeys(client_exclusion_key, @registry_view))
      client_exclusion_keys.map do |key|
        client_paths << registry_getvaldata("#{client_exclusion_key}\\#{key}", 'DirectoryName', @registry_view)
      end
    end
    print_exclusions_table(SEP, 'client path', client_paths)
  end

  def excluded_defender
    print_exclusions_table(DEFENDER, 'extension', registry_enumvals("#{DEFENDER_BASE_KEY}\\Exclusions\\Extensions", @registry_view))
    print_exclusions_table(DEFENDER, 'path', registry_enumvals("#{DEFENDER_BASE_KEY}\\Exclusions\\Paths", @registry_view))
    print_exclusions_table(DEFENDER, 'process', registry_enumvals("#{DEFENDER_BASE_KEY}\\Exclusions\\Processes", @registry_view))
  end

  def excluded_mssec
    print_exclusions_table(ESSENTIALS, 'extension', registry_enumvals("#{ESSENTIALS_BASE_KEY}\\Exclusions\\Extensions", @registry_view))
    print_exclusions_table(ESSENTIALS, 'path', registry_enumvals("#{ESSENTIALS_BASE_KEY}\\Exclusions\\Paths", @registry_view))
    print_exclusions_table(ESSENTIALS, 'process', registry_enumvals("#{ESSENTIALS_BASE_KEY}\\Exclusions\\Processes", @registry_view))
  end

  def print_exclusions_table(product, exclusion_type, exclusions)
    exclusions ||= []
    exclusions = exclusions.compact.reject(&:blank?)
    if exclusions.empty?
      print_status("No #{exclusion_type} exclusions for #{product}")
      return
    end
    table = Rex::Text::Table.new(
      'Header' => "#{product} excluded #{exclusion_type.pluralize}",
      'Indent' => 1,
      'Columns' => [ exclusion_type.capitalize ]
    )
    exclusions.map { |exclusion| table << [exclusion] }
    print_line(table.to_s)
  end

  def setup
    unless datastore['DEFENDER'] || datastore['ESSENTIALS'] || datastore['SEP']
      fail_with(Failure::BadConfig, 'Must set one or more of DEFENDER, ESSENTIALS or SEP to true')
    end

    # all of these target applications seemingly store their registry
    # keys/values at the same architecture of the host, so if we happen to be
    # in a 32-bit process on a 64-bit machine, ensure that we read from the
    # 64-bit keys/values, and otherwise use the native keys/values
    if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
      @registry_view = REGISTRY_VIEW_64_BIT
    else
      @registry_view = REGISTRY_VIEW_NATIVE
    end
  end

  def run
    print_status("Enumerating Excluded Paths for AV on #{sysinfo['Computer']}")

    found = false
    if datastore['DEFENDER'] && av_installed?(DEFENDER_BASE_KEY, DEFENDER)
      found = true
      excluded_defender
    end
    if datastore['ESSENTIALS'] && av_installed?(ESSENTIALS_BASE_KEY, ESSENTIALS)
      found = true
      excluded_mssec
    end
    if datastore['SEP'] && av_installed?(SEP_BASE_KEY, SEP)
      found = true
      excluded_sep
    end

    print_error 'No supported AV identified' unless found
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation