Remotely Enumerate Anti-Virus Configurations

There are a variety of reasons why a pen tester would want to obtain the anti-virus configurations of the system they are targeting. The ability to capture this information remotely can allow a pen tester to customize their actions for the computer they are targeting. In my last post, I talked about how to copy a file purely using WMI. For this blog post, I’m will cover how to utilize CIM sessions to gather information about the configuration of a remote system’s anti-virus.

Let’s start by working backwards, the cmdlet that will gather the antivirus configuration is Get-MpPreference. The Get-MpPreference cmdlet will return a large amount of information, you can view what’s returned by running the cmdlet on your local system.

Get-MpPreference Output

The specific configuration settings that we’re targeting in this post is the ExclusionExtension, ExclusionPath, and ExclusionProcess properties. These are fairly self-explanatory:

  • Exclusion Extension – This setting is used to whitelist a specific filetype. Administrators can whitelist this by specifying a file extension.
  • Exclusion Path – The extension path property is used when an administrator whitelists either a specific folder or individual file.
  • Exclusion Process – The exclusion process property allows an administrator to whitelist by process name

The Get-MpPreference cmdlet also allows you to target a remote system by providing a CIM session. You would provide the CIM session into the Get-MpPreference cmdlet via the -CimSession parameter.

This leads to the next two cmdlets that will create our CIM session, New-CIMSessionOption and New-CIMSession. The New-CIMSessionOption cmdlet will let us specify DCOM as the protocol when connecting to the remote machine, and we’ll want to store the output in a variable similar to the following command:

$sessopt = New-CimSessionOption -Protocol DCOM

Next, we need to create a PSCredential object that will allow you to authenticate to your targeted system. If you are able to interact with your local system, the easiest way to do this is to use the Get-Credential cmdlet similar to the following:

$creds = Get-Credential

If you have to script this step, your code should look similar to the following:

$secpasswd = ConvertTo-SecureString “PlainTextPassword” -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential (“username”, $secpasswd)

Now that you have the PSCredential object, you can pass in all the required parameters to the New-CIMSession cmdlet and establish your CIM session to the remote system. Your command will look similar to the following:

$sess = New-CIMSession -ComputerName -Credential $creds -SessionOption $sessopt

Now, it’s time to use the Get-MpPreference cmdlet. It’s as simple as calling the cmdlet and passing in the $sess variable. You should then have the results shown on your console.

Modified AV Configuration

For this system, we can see that the pdf extension is whitelisted, anything written to the C:\Users\user1\Downloads directory is not analyzed, and if the process name is dolphin.exe, then the anti-virus is configured to ignore it. There are additional configurations that are worthwhile to review as well, and I recommend that you dive more into reviewing additional configs.

I hope that this helped to explain how to remotely query a system’s AV configuration. If you have any questions, please don’t hesitate to contact us at FortyNorth Security.