TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Quarkslab

Avira: Deserialize, Delete and Escalate - The Proper Way to Use an AV

Lucas Laise · 2026-03-02 · Read original ↗

ATT&CK techniques detected

4 predictions
T1055.001Dynamic-link Library Injection
94%
“_ 3rd _ party _ host _ 32. exe " " c : \ windows \ system32 \ foobar. txt " opened link \ rpc control \ wa _ 3rd _ party _ host _ 32. exe - > \?? \ c : \ windows \ system32 \ foobar. txt : 00000158 press enter to exit and delete the symlink run the software updater and wait for i…”
T1055.001Dynamic-link Library Injection
90%
“default allows local users to create files. if temp _ rto. dat already exists and can ' t be overwritten, cve - 2026 - 27748 gives us the delete we need to recreate it. this vulnerability has been quickly identified using cerealkiller, thanks to two06 from trustedsec. tooling dns…”
T1055.001Dynamic-link Library Injection
67%
“avira : deserialize, delete and escalate - the proper way to use an av introduction avira internet security ships with a handful of modules that quietly handle privileged operations in the background : software updates, performance monitoring and system cleanup. each one runs par…”
T1485Data Destruction
52%
“##rl + alt + del, run osk. exe, system shell. read zdi and mandiant posts for the full details. folder delete vs. file delete this trick abuses a folder delete redirection, which still works today. however, the file delete makes use of the deletion of the alternate data stream : …”

Summary

Three vulnerabilities in Avira Internet Security, from an arbitrary file delete primitive to two distinct paths to SYSTEM privileges.