[Mal Series #16] RunAs TrustedInstaller from Snake Keylogger
Normally in order to disable some windows related service (e.g. Windows Defender, or certain registry key or files) always required higher/another level of privilege to do it. For example, SolarWinds escalated its privilege to disable windows defender service by abusing privileges constant such as
SeDebugPrivilege. Therefore, in this story, it will show how Snake malware perform an escalated action via
AdvanceRun.exe on its removal script via a service account
TrustedInstaller to disable Windows related services.
It is not a priv. escalation as it still requires admin privilege to run AdvanceRun.exe
Even if your are in an admin account, there are still have some files, services, registry still protected by the Windows as they were all owned by
As usual, Snake comes with multistage dropper which will decrypt itself until it reaches the final stage.
In the final stage, before the Snake malware executes. The malware will download a tools named
AdvancedRun from a
Pastebin raw page which contains base64 encoded strings of the executable file.
After that, it will execute a
test.bat with “Priority Class”
Normal and “Run As”
What is TrustedInstaller? Link Here
test.bat is a script which will disable windows services and remove WinDef/WinATP folder to prevent any further detection for them.
Malware stage which download AdvanceRun.exe
Unpacked Snake Stealer
The Art of Becoming TrustedInstaller
If you've spent any time administering a Windows system post Vista you'll have encountered the TrustedInstaller (TI)…
The Art of Becoming TrustedInstaller - Task Scheduler Edition
2 years ago I wrote a post running a process in the TrustedInstaller group. It was pretty well received, and as others…