I've long been interested in how EDRs work under the hood and how we can apply a more evidence-based approach to evasion. I'm happy to announce that I've written a book covering these topics with
@nostarch
which is now available for preorder 🎉
Want to make service removal really fun? Create a service with a unicode name. The service will run but won't show in sc.exe, services.msc, or taskmgr.exe and will sometimes cause a critical error while trying to find it with PowerShell/WMI. Unicode wins again.🤦♂️
Just released a post detailing a methodology for analyzing Windows drivers. My goal is to lower the barrier to entry for finding exploitable driver vulnerabilities through static reversing.
I've been poking around the Windows kernel a lot lately and one of my favorite samples I've referenced is Mimikatz's driver, Mimidrv. I took some time and documented all of its functions and included some write-ups on important kernel structures. Post: 1/3
New blog post discussing approaches to evasion that use less anecdotal evidence (technique X worked against Y) to one which uses observed agent capabilities to determine OPSEC-safe techniques. 1/5
Pushed a new tool, InspectAssembly, to OffensiveC#. This project inspects a target .NET assembly's CIL for calls to deserializers and checks if .NET remoting is being used to aid in finding potential privilege escalations on the host.
Wrote a quick little tool to help make evasion work a little easier. This project finds the exact byte that Defender will flag on and then dumps the offending bytes, signature name, and offset. Could be helpful for testing/modifying tools and payloads.
Want to use Win32 API calls to get around some pesky command line logging? Not sure how to start or how this fits into some C# tooling? I've released a blog post today on interoperability and marshaling as an introduction
Just pushed a new POC, DriverQuery, up to the OffensiveC# repo. This allows operators to get details about kernel drivers registered on the system (and optionally only return ones not signed by Microsoft) for targeting or exfil/analysis.
Today I'm pushing up HijackHunter to the OffensiveC# repo. This tool works by parsing the IAT and delay load table of a PE and testing each import for potential hijacks. If a hijack is detected, it will tell you why it determined it and how to abuse it.
In our never-ending hunt for new persistence techniques,
@mutantvillian
and I spent some time digging into using preview handlers over the past few weeks. Today we're publishing our research along with detection guidance.
Evading EDR, by Matt Hand, gives an inside look look at how Endpoint Detection & Response agents pinpoint adversary activity. Learn the ways each sensor component collects data, how to design an EDR, & how to evade one. Pre-order at 30% off w/ code GOTCHA:
Dell finally released the advisory and patch so I'm finally able to drop the blog on CVE-2023-28072, a LPE in Alienware Command Center. Yes, we're still finding and exploiting .NET Remoting in 2023🙃
Over the past few days, I've been documenting how Windows identifies hypervisors using NtQuerySystemInformation and creating a C++ alternative with quality-of-life improvements. Here's a new blog with the details:
Been spending a lot of time hunting down event sources lately to make better sense of some detections we've run into on operations. I wrote a little tool to help find event providers by recursively parsing directories/files for the specified GUID.
Wrote a quick C# program to enumerate abandoned COM keys. Useful for persistence as you can, in some cases, write to the missing location and call with `rundll32.exe -sta {CLSID}`. Thanks to
@bohops
for the solid post outlining this technique.
DLL hijacks still have value today but our approach to finding them may not always be the best. PATH hijacks are easy to find but miss things earlier in the search order. Loading Procmon on target isn't always safe. You may not be able to exfil on the target app to test in a lab.
Hey Defender friends. Turns out that removing those services with Unicode/non-printable characters is pretty hard, so I wrote you a tool to help with that. I'll be releasing the offensive PoC later this week or early next week.
Finding ways to stay busy and decided to run a super unscientific survey of open source offensive C# tools. I wanted to see what functions were most commonly P/Invoke'd across the tools (n=100). The results weren't quite what I expected but still a really interesting experiment.
Speaking of languages, it's time to halt starting any new projects in C/C++ and use Rust for those scenarios where a non-GC language is required. For the sake of security and reliability. the industry should declare those languages as deprecated.
I wrote a little Ghidra script to allow us to ingest function call trees with Neo4j. It was specifically built to help map Native APIs->EtwTi* sensors in the kernel, so here's a sample of the data we're able to get.
This one is a little different for me, but I wanted to document how I approach research projects at a high level, share some stories, and address some common issues I've seen while advising others. Hope you enjoy!
After spending nearly my entire career as a red team operator, I'm happy to share that I've joined
@preludeorg
to help build our prod-scale continuous security testing platform, Detect. Excited to make adversaries' lives *much* more difficult 😈
#infosec
Been digging into some offensive use cases for ETW lately. One use case that immediately jumped out at me was event subscriptions, similar to WMI persistence. Wrote up a quick POC here:
Windows is a meme. I've spent the better part of the afternoon wondering why my code isn't working. Turns out this has been known since at least 2021...
@dennisbabkin
Pushed some quality of life improvements to OffensiveC# to make it a little easier to use, integrate into existing workflows better, be more C2-friendly, and squashed some bugs along the way.
Temporarily disable Duo authentication on a Windows host. Nice for when you need a temporary RDP session:
regsvr32 /s /u "C:\Program Files\Duo Security\WindowsLogon\DuoCredProv.dll"
regsvr32 /s /u "C:\Program Files\Duo Security\WindowsLogon\DuoCredFilter.dll" cc: TwitterlessNick
I'm proud to announce that the
@SpecterOps
Vulnerability Research for Operators course was selected for 2 runs Black Hat USA this year. I'm really excited to teach the course with
@enigma0x3
and we hope you join us JUL31-AUG1 or AUG2-3.
I found out "C:\Windows\System32\WorkFolders.exe" (signed by MS) can be used to run arbitrary executables in the current working directory with the name control.exe. It's like a new rundll32.exe
#lolbin
but for EXEs!
Biggest takeway from
#infiltratecon
- Tons of research time and money going towards mobile exploits. More advanced threat groups don't care about your XSS and are operating at a scale unimaginable by private firms. Groups are paying $$$$ for bugs - sign of how critical these are.
Added C:\ physical drive serial keying and volume serial keying via WMI to Spotter as briefly described in the
#APT41
report (Pages 21, 25). Physical serial keying appears to be fairly robust as I am not aware of any way to modify/spoof that attribute.
The past few years have been incredibly hard on our family, but tonight we will be giving her the last dose of chemo, marking the end of treatment. She beat leukemia🧡
We have to challenge the status quo of phishing. Phishing was still the initial access vector for 23% of breaches (M-Trends, 2021) and what we've always done might not be what we need today. 1/2
As the state of security continues to evolve, we decided it was time to renew our approach to phishing during red team operations. Today, we're outlining our plans to make initial access ops more valuable to our customers.
Read more here:
The results are in, and a majority of folks chose either no alert or no telemetry. This is pretty interesting to me as both of these aren't really measurable unless you have access to the EDR - something that I very rarely had as a red teamer.
Super excited to have
@jsecurity101
on the team. We're going to be working on some really cool research that we believe will have asymmetric effects on the threat landscape. I look forward to seeing all the cool stuff Jonny cooks up 🙌
User persistence through junction folders as described in the Vault 7 leaks now in the OffensiveC# repo. TLDR; Add a CLSID to the end of a file and add a key in HKCU mapping it to a DLL. Verclsid.exe will execute the DLL when the file is browsed/on boot.
A little late but I wrapped up
@standa_t
's hypervisor development course last week and had a blast. Satoshi is a great instructor and I'd highly recommend it for anyone interested in hypervisor internals.
I've also created a Frida script to hook native APIs to facilitate testing against a simulated EDR agent. While this script is meant to accompany SHAPESHIFTER's agent, it can easily be used to test other tools and expanded to cover more native APIs 5/5
I want to sincerely thank
@gentilkiwi
for releasing Mimidrv. It is an invaluable resource for understanding how we can leverage kernel functions for offense 🥝❤️ 3/3
I had a great time presenting at
@BlackAlpsConf
with
@winternl_t
last week. The con was very well run and had some great talks, plus you can’t really beat the location 🏔️See you all next year!
In this post, I discuss one key difference in the thinking between sophisticated adversaries and many of the red teams that try to simulate them, as well as what that means for tradecraft and tooling.
Had fun reversing some legacy Windows code with
@jsecurity101
for this one. Just a reminder that capability abstraction has a huge benefit for offensive practitioners as well 😈
Happy Monday everyone!
Today
@matterpreter
and I are releasing a joint blog where we dive deep into the methodology we used to uncover the technology that atsvc utilizes within scheduled tasks.
Hope you enjoy!
This PoC uses a reconnaissance agent to detect usermode function hooks and ships results back to a server which parses them, creates a template payload using "safe" techniques, compiles it, and then ships it back to the original agent to run it inline. 3/5
AT:VRO has been my passion project for the past few months and I'm incredibly excited to teach it along with an amazing cadre of instructors. If you're interested in finding and exploiting vulnerabilities in 3rd party software on Windows, we still have seats open 😈
At SO-CON 2020, we are launching two new training courses in the Adversary Tactics series. Mac Tradecraft and Vulnerability Research for Operators.
All students receive coins. Here is a quick preview thanks to
@BlakeMoorhouse
Sign up here:
Just merged in the ability to search based on a provider name as well as by its GUID. The tool will also report if EtwRegister() or EventRegister() is imported, which should help hone in on which image is the true event source.
@byt3bl33d3r
Yep! For example, Sysmon is registered at 385201, which is one of the ways that Shhmon locates it in case the default name has changed. While these altitudes are registered with MSFT, they aren't enforced. The mini filter can be moved to a different altitude that isn't taken.
Features:
- x86 & x64 support
- Recursive import search (dependency walker)
- No external requirements (no PeNet!)
- Written entirely in C# for easy deployment via C2
My intent with the post is to put out documentation for Mimidrv, but also show some of the specifics of why operating in the kernel is so powerful and demonstrate the practical application through existing tooling. 2/3
There are tons of other applications for binary analysis due to how powerful Neo4j's pathfinding capabilities are. Huge thank you to
@xpn
for the inspiration,
@cptjesus
for helping with Cypher, and
@markus_pieton
for helping shift my approach to collection ❤️
I'll pose another question: To the pentesters/red teamers/developers who voted for "no alert" or "no telemetry", how are you evaluating that? Are you using some EDR analog (ex. procmon) for telemetry identification? How are you determining if an alert was fired?
@h0mbre_
@subat0mik
I've worked in both types of shops and have noticed that, for me, having ownership of the process and the outputs leads to more motivation to work on side projects. When I worked at places that controlled the outputs, I felt a sense of "why bother" since they'd either be sold 1/2
@h0mbre_
@subat0mik
go uncredited, or filled with marketing cruft that would water it down. I think it may be warranted in some ultra-specific cases, but overall I think employer's who attempt to control their employees' personal projects/publications are making the wrong call. 2/2
When WorkFolders.exe is called with no parameters, it launches control.exe from whatever location in its search path (malicious or not) with the arguments "/name Microsoft.Workfolders" 3/3
@FabrePierrejean
@nostarch
The planned release date is October 31 of this year. Each chapter of the book dives deep into the internals of how a sensor works before covering anything about evasion.
@_SledGoes0x90
You commonly would compile the project and then feed it to your C2 that supports in-memory execution of .NET assemblies (e.g. Cobalt Strike's execute-assembly). If you're interested in how that works,
@domchell
wrote a great post on it a few months ago.
@HackingLZ
Yep, 10000%. There's value in both approaches based on what the client is trying to get out of the engagement. Attack surface/path identification? You absolutely have to test externally. Detection and response improvements? Then we should talk about assumed breach as an option.
@ionstorm
@FuzzySec
Great work! Just bear in mind that those method/struct names are modifiable by setting the EntryPoint in DllImport to the true name and renaming the function or changing the struct name in Win32.cs to something random.