Another way to bypass McAfee detection

During a penetration test we obtained the complete administration of a Windows server.

We were looking for a way to get more information on this server and wanted to use the technique pass-the-hash developed by Hernan Ochoa to get NT / LM hashes from memory..

More information: Windows Credentials Editor v1.2

The problem is that this server is running McAfee VirusScan Enterprise version 8.7i tool which detects wce.exe as malicious.

To disable the antivirus service is necessary to know an administrative password.

In previous versions it was possible to disable the password by modifying the registry value UIP in (1) HKEY_LOCAL_MACHINESOFTWAREMcAfeeDesktopProtection or (2) HKEY_LOCAL_MACHINESOFTWARENetwork AssociatesTVDVirusScan EntrepriseCurrentVersion

Today you can not change the registry because of permissions added after the following vulnerability

But we found the following registries “HKEY_LOCAL_MACHINESOFTWAREMcAfeeVSCoreOn Access ScannerConfigurationDefaultExcludedItem_X”

Some of them are excluded path by default “c:inetpubmailroot”, “c:program fileexchsrvrschema”, “%systemroot%IIS Temporary Compressed”

Simply we put our binaries in any of the directories named in ExcludedItem_X using the functionality that McAfee offers to run any binary, and we finally got our needed hash.

I hope you need it if you ever come across with this antivirus, surely the technique should be applicable to other antivirus.

Have fun!