KIS / KES

Kaspersky Endpoint Security (KES) / Kaspersky Security Center (KSC) / Kaspersy Internet Security (KIS)

https://api-router.kaspersky-labs.com/downloads/search/v3/b2b

KES / KIS

https://nasbench.medium.com/lolbined-using-kaspersky-endpoint-security-kes-installer-to-execute-arbitrary-commands-1c999f1b7fea

Scan Exclusions

Potential scan exclusions:

C:\Windows\System32\LogFiles\
C:\Windows\System32\inetsrv\
C:\Windows\ClusterStorage\
C:\ProgramData\Microsoft\Windows\Hyper-V\

Stop Service

https://www.exploit-db.com/docs/english/40433-deactivating-endpoint-protection-software-in-an-unauthorized-manner-(revisited).pdf

Check if KES Self-Defense is enabled:

PS > (Get-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\KasperskyLab\protected\KES\settings" -Name "EnableSelfProtection").EnableSelfProtection

Check if KES external management of system services is allowed:

PS > (Get-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\KasperskyLab\protected\KES\settings" -Name "AllowServiceStop").AllowServiceStop

If EnableSelfProtection is 0 and AllowServiceStop is 1, then it's possible to manipulates KES application from the command line via klpsm.exe:

Cmd > cd "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows"
Cmd > klpsm.exe stop_avp_service
Cmd > klpsm.exe start_avp_service

Remove Product

KSC

Key Value

Key	Value
Default MMC Port	13291
Remote Installation Path	`%WINDIR%\Temp\KAV Remote Installations`

Default MMC Port

13291

Remote Installation Path

%WINDIR%\Temp\KAV Remote Installations

Enumeration

Cmd > netstat -ano | findstr 13000
Cmd > "C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\klnagchk.exe"
Cmd > reg query HKLM\SOFTWARE\WOW6432Node\KasperskyLab\Components /s /v Protection_AdmServer
Cmd > C:\PROGRA~2\KASPER~1\KASPER~1\klsql2.exe -i query.sql -u administrator -p "Passw0rd!" -o query.xml

KlScSvc in LSA

https://telegra.ph/Crackmapexec-beryot-sluzhebnyj-parol-konsoli-Kaspersky-Security-Center-12-08

Last updated 1 month ago