Disable Windows Defender: UAC Bypass + Upgrade to SYSTEM

Disable Windows Defender

Privilege tokens are permissions given by the system to a process. For example, if a process has a “SeShutdownPrivilege” token, then it has the right to turn off your computer.​If your program does not have this token, it will not be able to perform this action.

Windows Defender uses its privileges to check files. For example, “SeRestorePlivilege”.​From this, we conclude that if you deprive the antivirus process of permission to check files, it will become useless and will not be able to perform this very check.​​Any explanation will become clearer if you translate it from dry text into visualization. Actually, for this reason, I suggest you download Process Hacker and look with your own eyes at the tokens available to a particular process.

Windows Defender is responsible for the process MsMpEng.exe we need to find it in the list and open the Tokens tab​​Here we notice that the process has many different privileges that are of key importance to it.

As you understand, we will deal with disabling these privileges.​This concludes the theoretical part, and we begin to implement the POC.

At the very start, we are already plagued by two problems.

  • The process MsMpEng.exe launched on behalf of the System. To edit its tokens, we need to have the user “NT AUTHORITY\SYSTEM”​
  • To get a SYSTEM, we will need to upgrade, which in turn occurs only from the administrator level.

Demo

Install & Use