https://fourcore.io/blogs/no-more-access-denied-i-am-trustedinstaller
According to Microsoft, Tamper protection essentially locks Microsoft Defender Antivirus to its secure default values and prevents your security settings from being changed through apps and methods such as:
Configuring settings in Registry Editor on your Windows device
Changing settings through PowerShell cmdlets on your device
Therefore, disabling the service or modifying the configuration won’t work.
(...)
We wrote a small POC which starts TrustedInstaller, opens a handle to it, and creates a new child process. The code spawns a cmd.exe shell with the privileges of TrustedInstaller and the user as NT Authority/System.
| functions.go | ||
| go.mod | ||
| go.sum | ||
| LICENSE | ||
| main.go | ||
| README.md | ||
TrustedInstaller
A simple Proof of Concept in Go to spawn a new shell as TrustedInstaller. Read more about how this PoC works on this blog about TrustedInstaller. It is important to note that this should be executed as a user which has SeDebugPrivileges. Upon execution, it will automatically ask for UAC in case it is not executed as as an Administrator.
POC
- Clone the repository
$ git clone https://github.com/FourCoreLabs/TrustedInstallerPOC.git
- Ensure you have Go installed. This POC has been tested on Go 1.19.
- Either build the binary and execute it
$ go build ti
$ ./ti.exe
- Or run it directly
$ go run ti
This will spawn a new cmd shell with TrustedInstaller privileges which can be confirmed by running the command whoami /all
API
- RunAsTrustedInstaller
- Use the
RunAsTrustedInstallerfunction to pass any executable to be run with TrustedInstaller privileges.
- Use the