SandboxPPL

Golang PoC that sandboxes Defender (or other PPL) by setting its token integrity to Untrusted, effectively turning it useless.

This is possible due to the fact that using PROCESS_QUERY_LIMITED_INFORMATION to open a protected process is enough (in contrast to what MSDN documentation states) to get a handle to its access token.

PoC

MsMpEng.exe (Windows Defender) runs as PPL

All sorts of privileges are enabled and token integrity is System

Not anymore

Notes

In the original research all the privileges are manually stripped off from the process, besides changing the token integrity.
It seems that this first step is not necessary, since only by setting the integrity level to Untrusted the same goal is achieved.

The program needs to run with SYSTEM privileges, otherwise the OpenProcessToken call will fail because the Owner of the target token is NT AUTHORITY\SYSTEM.

Reference

https://elastic.github.io/security-research/whitepapers/2022/02/02.sandboxing-antimalware-products-for-fun-and-profit/article/

GitHub

View Github

Golang PoC that sandboxes Defender (or other PPL) by setting its token integrity to Untrusted

SandboxPPL

PoC

Notes

Reference

GitHub

John

A base gui tool for xray/v2ray/hysteria/trojan-go without system proxy

Go Hexagonal architecture implemented with interfaces, tests and mockgen

SandboxPPL

PoC

Notes

Reference

GitHub

A base gui tool for xray/v2ray/hysteria/trojan-go without system proxy

Go Hexagonal architecture implemented with interfaces, tests and mockgen

You might also like...