Still confirming this is working the way I intend it, updates and detailed POC to follow...
I
found RCE in a web application, and place a web shell file in a
publicly facing directory on the server. However, AV keeps deleting it,
so as part of my command injection, I spin up a process to put a file
handle on the shell. Even though defender is detecting it, it's not deleting it. (I know it's detecting it because I've also gained remote desktop access and can see the alerts.)
In the past I have focused mainly on detection evasion but deletion evasion is looking a lot easier right now.
UPDATE: Well, turns out my webshell was a low-priv account, but the process I was doing command injection through was running as NT AUTHORITY\SYSTEM, so woot! No wonder I can successfully lock the webshell file using a process that starts on startup. This doesn't work for Meterpreter payloads that spin off their own processes that then become detected. So maybe it works, but it's limited.
Sidenote:
A bit about how difficult it was to figure out I was root when my RCE was Java arbitrary code execution...
The
webshell was written to C:\inetpub\wwwroot by my Java process. It
executed commands as a low privilege AppPool type IIS user. Running
whoami through the shell will tell you this
Asking the Java Virtual Machine was a little useless. Calling System.getProperty("user.name") just returns the USERNAME environment variable from (I believe) when the JVM was initiated. This gave me PC-NAME$ where PC was the domain name of another user I got access another way, i.e. PC-NAME\otheruser.
FINALLY I got the idea to run "cmd.exe /c whoami" directly through
the Java injection, write the results to a publicly served directory
and check out the results. NT AUTHORITY\SYSTEM! Whew! At this point I
guess I don't need evasion, I could just turn off the AV!
