https://fourcore.io/blogs/no-more-access-denied-i-am-trustedinstaller According to Microsoft, Tamper protection essentially locks Microsoft Defender Antivirus to its secure default values and prevents your security settings from being changed through apps and methods such as: Configuring settings in Registry Editor on your Windows device Changing settings through PowerShell cmdlets on your device Therefore, disabling the service or modifying the configuration won’t work. (...) We wrote a small POC which starts TrustedInstaller, opens a handle to it, and creates a new child process. The code spawns a cmd.exe shell with the privileges of TrustedInstaller and the user as NT Authority/System.
Find a file
2023-09-11 21:09:22 +05:30
functions.go Add TrustedInstaller POC 2023-02-16 16:09:18 +05:30
go.mod Add TrustedInstaller POC 2023-02-16 16:09:18 +05:30
go.sum Add TrustedInstaller POC 2023-02-16 16:09:18 +05:30
LICENSE feat: add MIT License 2023-09-11 21:09:22 +05:30
main.go Add TrustedInstaller POC 2023-02-16 16:09:18 +05:30
README.md fix: update title 2023-02-16 16:38:45 +05:30

TrustedInstaller

A simple Proof of Concept in Go to spawn a new shell as TrustedInstaller. Read more about how this PoC works on this blog about TrustedInstaller. It is important to note that this should be executed as a user which has SeDebugPrivileges. Upon execution, it will automatically ask for UAC in case it is not executed as as an Administrator.

POC

  1. Clone the repository
$ git clone https://github.com/FourCoreLabs/TrustedInstallerPOC.git
  1. Ensure you have Go installed. This POC has been tested on Go 1.19.
  2. Either build the binary and execute it
$ go build ti
$ ./ti.exe
  1. Or run it directly
$ go run ti

This will spawn a new cmd shell with TrustedInstaller privileges which can be confirmed by running the command whoami /all

demo

API

  • RunAsTrustedInstaller
    • Use the RunAsTrustedInstaller function to pass any executable to be run with TrustedInstaller privileges.