Telegram Group & Telegram Channel
Telegram Group » India » HackerOne » Telegram Webview » Post 3665
HackerOne
Disable-TamperProtection

A POC to disable TamperProtection and other Defender / MDE components

It is possible to abuse SYSTEM / TrustedInstaller privileges to tamper or delete WdFilter settings (ALTITUDE regkey) and unload the kernel minidriver to disable Tamper protection and other Defender components. This also affects Microsoft's Defender for Endpoint (MDE), blinding MDE of telemetry and activity performed on a target.

An example, to use the POC is as follows:
   1 — Unload WdFilter
   2 — Disable Tamper Protection
   3 — Disable Defender / MDE components
   4 — Reinstate / restore the WdFilter


Blog: Breaking through Defender's Gates - Disabling Tamper Protection and other Defender components

POC Demo: https://youtu.be/MI6aVDHRix8

This vulnerability, during testing was found to affect the following versions of Windows:
   • Windows Server 2022 until BuildLabEx Version: 20348.1.amd64fre.fe_release.210507-1500 (April 2024 update)
   • Windows Server 2019
   • Windows 10 until BuildLabEx Version: 19041.1.amd64fre.vb_release.191206-1406 (April 2024 update)
   • Windows 11 until BuildLabEx Version: 22621.1.amd64fre.ni_release.220506-1250 (Sep 2023 update).
GitHub
GitHub - AlteredSecurity/Disable-TamperProtection: A POC to disable TamperProtection and other Defender / MDE components
A POC to disable TamperProtection and other Defender / MDE components - AlteredSecurity/Disable-TamperProtection
www.tg-me.com/in/HackerOne/com.HackerOne/3665
4.0K viewsAmir Kiani



tg-me.com/HackerOne/3665
Create:
Last Update:

Disable-TamperProtection

A POC to disable TamperProtection and other Defender / MDE components

It is possible to abuse SYSTEM / TrustedInstaller privileges to tamper or delete WdFilter settings (ALTITUDE regkey) and unload the kernel minidriver to disable Tamper protection and other Defender components. This also affects Microsoft's Defender for Endpoint (MDE), blinding MDE of telemetry and activity performed on a target.

An example, to use the POC is as follows:

   1 — Unload WdFilter
   2 — Disable Tamper Protection
   3 — Disable Defender / MDE components
   4 — Reinstate / restore the WdFilter


Blog: Breaking through Defender's Gates - Disabling Tamper Protection and other Defender components

POC Demo: https://youtu.be/MI6aVDHRix8

This vulnerability, during testing was found to affect the following versions of Windows:
   • Windows Server 2022 until BuildLabEx Version: 20348.1.amd64fre.fe_release.210507-1500 (April 2024 update)
   • Windows Server 2019
   • Windows 10 until BuildLabEx Version: 19041.1.amd64fre.vb_release.191206-1406 (April 2024 update)
   • Windows 11 until BuildLabEx Version: 22621.1.amd64fre.ni_release.220506-1250 (Sep 2023 update).

BY HackerOne


Warning: Undefined variable $i in /var/www/tg-me/post.php on line 283

Share with your friend now:
tg-me.com/HackerOne/3665

View MORE
Open in Telegram


HackerOne Telegram | DID YOU KNOW?

Date: |

Unlimited members in Telegram group now

Telegram has made it easier for its users to communicate, as it has introduced a feature that allows more than 200,000 users in a group chat. However, if the users in a group chat move past 200,000, it changes into "Broadcast Group", but the feature comes with a restriction. Groups with close to 200k members can be converted to a Broadcast Group that allows unlimited members. Only admins can post in Broadcast Groups, but everyone can read along and participate in group Voice Chats," Telegram added.

The SSE was the first modern stock exchange to open in China, with trading commencing in 1990. It has now grown to become the largest stock exchange in Asia and the third-largest in the world by market capitalization, which stood at RMB 50.6 trillion (US$7.8 trillion) as of September 2021. Stocks (both A-shares and B-shares), bonds, funds, and derivatives are traded on the exchange. The SEE has two trading boards, the Main Board and the Science and Technology Innovation Board, the latter more commonly known as the STAR Market. The Main Board mainly hosts large, well-established Chinese companies and lists both A-shares and B-shares.

HackerOne from in


Disable-TamperProtectionA POC to disable TamperProtection and other Defender / MDE componentsIt is possible to abuse SYSTEM / TrustedInstaller privileges to tamper or delete WdFilter settings (ALTITUDE regkey) and unload the kernel minidriver to disable Tamper protection and other Defender components. This also affects Microsoft's Defender for Endpoint (MDE)

 HackerOne TG
Webview: 3665
HackerOne.Telegram Webview
HackerOne Telegram TG Channel
Telegram Updated:
Telegram HackerOne
FROM USA