Thanks to everyone who attended my
@reconmtl
and
@BlueHatIL
talks! The exploit and slides are here:
If you took any photos during either of the talks, please share them here. Also, please don't hesitate to stop me to say hi!
Brand new Win10 laptop. Attempt to install Chrome. Almost get owned with my very first action. Why is this still happening in 2018,
@bing
? Please explain.
Watch me drop some still-unpatched Windows exploits at BlackHat:
✅ Bypass LSASS RunAsPPL
✅ Modify kernel memory
💥 Zero vulnerable drivers
Article:
Article
#2
:
Code:
Talk: 👇
Watch me drop some still-unpatched Windows exploits at BlackHat:
✅ Bypass LSASS RunAsPPL
✅ Modify kernel memory
💥 Zero vulnerable drivers
Article:
Article
#2
:
Code:
Talk: 👇
> Elastic has pushed the defensive industry forward with their anomalous call stack detection logic that is a formidable challenge for modern red team operations.
Thanks for the shout-out! We have plans to make your jobs even harder. 🙂
Yes this is real. Bing lists the scam link without https : //. I can still reproduce it by visiting this link in Edge and hitting F5 a few times. . I can't repro with other browsers.
I'm thrilled to announce that I'll be presenting a previously-unnamed vulnerability class at
@BlueHatIL
.
Oh, and I'll be dropping 0day. Be sure to stop by, learn something new, pwn the kernel, and have a coffee. It should be a good time.
Great news! Yesterday's Patch Tuesday fixed PPLFault. Thanks so much to everyone at Microsoft who helped get this 510-day bug fixed (🙌 especially
@PhilipTsukerman
and
@depletionmode
). If you'd like to know more about the fix, see my article: (1/5)
Are you tired of being stuck in userland? Come to
@reconmtl
where I'll show you how to fast-talk your way into the Windows kernel. Coffee and exploits provided.
Come for the pwnage. Stay for the knowledge.
@R00tkitSMM
@DonnchaC
@jsrailton
This has to be a mistake or mixup. Appeal to them and explain that it was credited as a CVE and show the corresponding bounty description.
Also link to this thread so they can see the community telling you to sell future bugs instead of responsibly disclosing. With cash off the
Great article
@ateixei
! I have to rebut your claim about EDR being blackboxes. We (
@elastic
/
@elasticseclabs
) publish our detections for the world to see including over 750 behavioral rules, ransomware lua logic, and over 550 malware/memory Yara rules. We also put our Yara
A good read by
@ateixei
that you should check out
Just wanted to add a small take and perhaps expand on an idea that was highlighted in the article.
Before even reading, the answer should be obvious. EDR and Sysmon share only 2 basic things in common,
☠ As promised, Microsoft killed
@itm4n
's PPLMedic with the July 3155/3208 updates. You can see the .data => .mrdata change in IDA below. Great work
@PhilipTsukerman
and team! I hope we can read about the improvements soon! Rest assured, you can continue to use PPLFault and
Elastic's Endpoint Protections team is hiring! If you're passionate about malware tradecraft and OS internals, check us out! 100% remote.
The reqs are a bit flexible. Don't worry if you're not an exact match.
EMEA:
Canada:
We're hiring. 100% remote. Check us out below!
Someone suggested adding a cool image to make the post more eye-catching. This is a near-perfect representation of what I look like on any given workday, but with IDA / WinDbg / VS on the screen instead.
Elastic's Endpoint Protections team is hiring! If you're passionate about malware tradecraft and OS internals, check us out! 100% remote.
The reqs are a bit flexible. Don't worry if you're not an exact match.
EMEA:
Canada:
I'm pleased to announce that
@magerbomb
and I will be presenting a mitigation for physical memory credential dumping at
@shmoocon
. If you work in the Windows space, red or blue, come check us out!
I'm pleased to announce that
@magerbomb
and I will be presenting a mitigation for physical memory credential dumping at
@shmoocon
. If you work in the Windows space, red or blue, come check us out!
I had a bit of spare time and managed to recreate this, but SharedOriginal winning again...
It amazes me how this is so simple and yet so effective. Really a great finding.
#Lazarus
exploited a flaw in the Windows AppLocker driver (appid.sys) as a zero-day to gain kernel-level access and turn off security tools.CVE-2024-21338
Beyond BYOVD with an Admin-to-Kernel Zero-Day
24 hours until my
@reconmtl
talk. Make sure to stop by!
I apologize for the 10AM time slot (not my choice). Don’t party too hard tonight. I’ll have ibuprofen, caffeine gum, and some 5 Hour Energy for those who need it.
Are you tired of being stuck in userland? Come to
@reconmtl
where I'll show you how to fast-talk your way into the Windows kernel. Coffee and exploits provided.
Come for the pwnage. Stay for the knowledge.
Check out
@itm4n
's awesome evolution of
@tiraniddo
's PPL research!
My upcoming
#BHASIA
talk is unrelated to COM. I just tested it successfully on the latest Win11 (22621.1413) and Insider (25314.1010) builds.
Oh man. Anyone who saw my
@reconmtl
talk should find this funny. Need to walk a fine line between venting and constructive criticism.
1. Accept bug report.
2. Fix bug without crediting researcher.
3. Close issue 4 months later.
@chompie1337
I’ve asked myself that question several times. Trying to be a “good guy” really sucks sometimes.
AFAIK AngryOrchard and KExecDD both still work. I reported the former in 2022, but MSRC hasn’t moved on it.
I will tell you that no matter MSRC’s policies, there are folks within
We’re so excited for
@dez_
‘s lightning talk at
#BHUSA
! Learn about the newly discovered technique on 8/7 at 12:00/3:30 and 8/8 at 1:00! We hope to see you at
@elastic
booth
#2350
!
Won’t be there? Keep an eye out for the article on this technique — published next week!
Defense just doesn't get as much love as offense. Maybe I'll angle my next prevention release as offense, and throw in a CVSS score for good measure.
Yo I just dropped 0day for XYZ TTP. Stoppin' shellz left and right. Total pwnage!
The video is up! Check out our Silhouette
#shmoocon
talk. Beyond physical memory access, we also show mitigations for raw disk attacks like Invoke-NinjaCopy and VSS attacks like hobocopy:
@aionescu
@yarden_shafir
This is awesome. I bet it went something like this:
1) Use PH all the time
2) Get frustrated by Microsoft blocking KPH
3) Buy PH and rebrand it to get away from the "hacker" image
4) Remove the driver-enabled LPEs like the ability to terminate PPL
5) Do WHQL dance
I'm watching
@yarden_shafir
's talk "Intel CET and how to stop being scared of French baking." This part rings so true 😂😭
> Oh this is definitely a malicious thing. We definitely want to detect that always. Then you ship your product, it runs on exactly 3 customer machines,
Only A-tier for
@elasticseclabs
? I don't know about that.
Props to
@domchell
, creator of Nighthawk C2, for voting his truth 😃
As awesome as we are today, we're continually innovating. There's lots of good stuff in the pipeline. Stay tuned!
Had an absolute blast on stream today, thank you so much to everyone who showed up☺ VOD is on YouTube if you missed it👏 Allot of people came with input, so naturally I 100% blame chat for this now OFFICIAL OFFSEC EDR TIER LIST
While watching
@aionescu
's 2015
@InfiltrateCon
talk, I came across this bit of gold 😂
> If you read the docs, it says "Do not attempt to modify this buffer. It contains operating system data, and corruption could be catastrophic. The information in the buffer is not useful to
@tiraniddo
At BlueHat IL last year, Microsoft's Director of OS Security said that Microsoft considers vulnerabilities to be potential risk and exploits to be actual risk (timestamped link: ). In a sense then, exploit drops like PPLFault help Microsoft prioritize their
I just came across this. Great read for anyone interested in how the Windows kernel handles file mappings at a low level. This includes EXE/DLL mappings.
Thanks for writing it,
@artem_i_baranov
.
Cool article, and thanks for the shout out!
@jdu2600
actually listed that evasion in his talk last year (timestamped: ). Yep we know it's indefensible, and he even said so while discussing evasion opportunities. Most detections can be evaded, and
I just got home after 8 days of excellent talks and training at
@reconmtl
. At last night’s after-party, it was wild to see so much infosec genius concentrated in one small bar.
A++ would do again - just need to find another new bug class for next year 🤔
So drained. Need to
Why would criminals use polished and tested commercial penetration testing tools to hurt people when they could instead develop and QA their own from scratch?
Excited to share my latest research about FIN7 🔥
The discovery of a new abuse for the Windows built-in driver ProcLaunchMon.sys (TTD Monitor driver) to tamper with EDRs has been an interesting surprise.
Enjoy the read 👇
Yesterday's KB5034441 patch is failing on two Win10 machines. Docs instruct me to manually expand my recovery partition with diskpart. "delete partition override" is a pretty dangerous command. Do we expect non-technical users to run this? Could we automate this instead?
💻🛡️ In this series of blog posts, Clément Labro (itm4n) one of our ethical hacker, explores yet another avenue for bypassing LSA Protection in Userland.
To discover the first article of this series:
#orangecyberdefense
#ethicalhacking
#switzerland
@BingAds
Thank you
@BingAds
. Did you discover how the ad was listed as ? Have any changes been made to prevent this type of attack from happening again in the future?
If you have access to information that well-funded threat actors would find valuable, or have write access to a software repository (or CI system) that is widely-used, please consider enabling iOS Lockdown Mode.
The spyware managed to infect several dozen iPhones of our employees. Thanks to the measures taken, the company is operating normally, business processes and user data are not affected, and the threat has been neutralized. We continue to protect you, as always
#IOSTriangulation
Is there any way for a kernel driver to quickly get KeGetCurrentThread()->TrapFrame->Rip without undocumented structures or functions?
RtlCaptureContext gives you the KM context, not UM.
_KTHREAD is undoc.
PsGetContextThread is undoc.
This is horrible - a possibility every time we push an update. Boot loops are nightmare fuel for EDR vendors. I hope
@CrowdStrike
and their customers can move past this quickly.
CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted. This is not a security incident or cyberattack. The issue has been identified, isolated and a fix has been deployed. We
Just because you get access denied accessing a folder, it doesn't mean you can't get access. A quick look at bypassing the security on the WindowsApps folder.
@eversinc33
Great work! Thanks for sharing with the community. Since you're interested in rootkit detection, you may want to check out our 2018 BHUSA talk, particularly the second half:
@SwiftOnSecurity
To prevent Microsoft Cortana for Defender from getting owned, you need to install Microsoft Defender for Microsoft Cortana for Defender.
If you publish anything that involves a list of hashes, please consider publishing tuples of (hash,size) instead. This enables lookups to skip expensive hashing work if the size does not match anything in the set. 64-bit file sizes can be encoded as 8 bytes concatenated onto
I think I just made a more-profound observation but please sanity check me here.
_KTRAP_FRAME is documented in ntddk.h. Is the top of the kernel stack for a syscall guaranteed to always be a _KTRAP_FRAME, or is it an implementation detail? What about inside
Let's play a game. How many Windows symbols can you reasonably claim credit for? No [Ex-] MS folk allowed.
I think I have:
nt!SepSetProcessTrustLabelAceForToken per
and I just spotted this one in 22631.3155:
PPLs (aka "not a security boundary") are getting some new protections in Windows 11. One of them fixes a technique documented by
@elastic
last year where they "sandbox" Windows Defender by modifying its token:
*
@SBousseaden
and the Elastic team are just top tier, and probably uncover top notch "LO(T)L" tradecraft better than anyone.
Snap-ins are something I've always thought were underrated, and script host capabilities from MMC are still untapped IMO ;)