Today I am pleased to announce the release of a code analyser I’ve been working in my free time - wSAST ()
wSAST aims to make code analysis easier for application security consultants by providing tools to graph relationships, find paths between functions,
I recently stumbled upon the code I had written for the Crystal Anti-Exploit Protection product back in 2011-2012 and decided to make it public! There’s lots of stuff in there for any fans of exploit dev/reversing/low level windows! Check it out:
Finally got this exciting new evasion technique working in Nighthawk! Had it working as a PoC for a while but now it seems stable enough for inclusion! Haven’t seen it done before and think the impact could be huge! 🥳🥳 more details soon hopefully!
Thanks everyone who messaged me wrt the
#libssh
bug! The root cause is that the libSSH server and client share a state machine, so packets designed only to be processed by and update the client state can update the server state. Auth bypass is the most obvious effect...
At long last! We are finally able to release some of the R&D we’ve been working on
@MDSecLabs
! Getting some of this working twisted my brain into a pretzel on more than one occasion so glad it all panned out ok in the end! 🤯
Pretty nice technique that we came with to hide Nighthawk in memory, it was a little more fiddly for x86 but got that working in the end too; since
@ilove2pwn_
released the details here is an implementation
The awesome work for this one lays squarely with
@x86matthew
- amazing work and excited to add this to Nighthawk along with some other great new capabilities over the coming weeks!
I can’t believe it’s been a year at
@MDSecLabs
already! It’s been a year full of interesting work, development projects and insight into the Red Teaming world the likes of which wouldn’t have received anywhere else. Do what you love and you never work a day in your life!
I finally finished this release. Lots of improvements and fixes. I hope to soon start releasing some tutorials and videos on how to get the most out of wSAST! I also hope to talk about it at an
@IOActive
hack soho event in the new year!
wSAST v0.1-alpha (release date 18-12-2023) is now public!
This release contains support for annotation-based rules, and support for filtering entry points when launching scans, as well as several important improvements to path finding, rule matching.
.NET inline-assembly is better than execute-assembly if you don't want sacrificial process but it drops so many indicators in the memory. These were found within sleeping beacon and the ETW had been patched prior to execution.
Thanks to
@peterwintrsmith
for guidance.
With his ability to stealthily get into houses, Santa is a natural red teamer, which is why he’s giving you the gift of offensive security!
Register now for a free training course on Microsoft Office tradecraft, taught by
@StanHacked
and
@ptrpieter
First solo on the electric ukulele (yes they exist 😂) perhaps a little ambitious - not sure whether Van Halen would approve! I’ll check back in in a few months! 😆
... but the entire state machine is at flaw here so there may be other, more subtle, methods of exploitation. So I most definitely recommend updating all libSSH services, even those not directly vulnerable to the auth bypass.
@domchell
@modexpblog
Hard to show in a screenshot but Moneta gives it a completely clean bill of health. And as an added bonus a strings search of memory shows no C2 traffic residue etc. Finally getting there!
@_xpn_
… do that was one of the reasons I joined
@MDSecLabs
. I realised that by its very nature pure consulting for me is quite depressing because no matter how hard you work the output is forgotten weeks after you finish. I have to be working on something lasting to stay happy.
After almost 2 years of working on NimPlant as a personal side project, I’m proud to release it to the public! NimPlant is a light-weight, first-stage C2 implant written in Nim, with a supporting Python server and Next.JS web GUI.
Available here now! 👇
@ilove2pwn_
…had implemented both independent of anything publicly released. We also have a few variations on this technique not using timers and have it working nicely for x86 in more recent versions. Motivates me to keep researching anyway - it’ll always be a race against analysis
I couldn’t recommend working
@MDSecLabs
highly enough! Great company, work environment and peers! I encourage anyone on the fence about a change to consider!
@ilove2pwn_
I thought it was a pretty good idea when I came up with it; I’m not the first person to use NtContinue() to make API calls but there was a nice benefit using timers which I hadn’t seen used - no chain of waiting funcs like APC, no messy stack like ROP etc though we previously…
@_xpn_
I have unlimited enthusiasm for certain types of research (those types do evolve) but I was in a serious motivational slump between 2013-2020 which I realised was due to not having a purpose in my research. Having my own project separate from work helped a lot and the freedom…
@lpha3ch0
Just compile it with symbols and load into windbg, it should find the symbols automatically but if not you can set the path to them using .sympath+. Then run command “ln xxx” to list the symbols closes to the address xxx of your bad bytes
@ilove2pwn_
I think this will do really well as a lot of RTs still use or want to stick with CS but don’t have the skills in-house to customise it sufficiently to make it viable against hard targets. Sounds great!
One thing I am looking forward to when Nighthawk finally reaches a fixed point (agent extensibility, open API, open source reference beacon) is being able to churn out new techniques and variations for our evasions in real-time, it’ll provide a lot of value to customers and…
Day off work today means only one thing - electric uke time! 🎸 after many failed attempts I realised the riff below (from sweet child) sounds wrong when played first hand, and ok when played back! So I just hope for the best 😂
Thank you to everyone who showed up last night to hack::soho! And a special thanks to Peter for his presentation. Check IOActive’s YouTube channel in the next few weeks to catch the presentation for anyone who wasn’t able to make it.
Curious about what's happening in the Windows Kernel after a Syscall?
I just wrote this post following the worfkflow from the Syscall instruction to the target kernel routine ⬇️
Thanks again to
@Set_hyx
for the proofreading!
I really enjoy teaching private classes! Even if you're just a small group (min. 4), willing to travel to Belgium, we can make it happen! I still have some timeslots in November & December. DM if interested
@corelanconsult
#windows
#exploitdev
#corelan
#nevergiveup
Just completed another Nighthawk customer webinar. Great to engage with the
#Nighthawk
community, even if they do heckle my slides for using Comic Sans 😅
Here is the RefleXXion. It is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc.
Thank you
@peterwintrsmith
for sharing this technique.
Just finished Adversary Simulation and Red Team Tactics training by
@MDSecLabs
. Amazing course would highly recommend; interesting lab content as well as great instructors (
@domchell
,
@_xpn_
,
@0x09AL
)
Excuse the promotional tweet this capability has been frying my brain for the past few weeks and I’m so happy I hopefully won’t have to look at it again 😂
@MichaelJRanaldo
@MDSecLabs
@irsdl
Haha Soroush is one of our biggest proponents of the petemoji cause and this show of dedication may push him into the Sacred Council of the Petemoji 🏅
@AnubisOnSec
I would do something ambitious and meaningful for yourself outside of just consulting work for your employer; you may enjoy that but it’s so ephemeral and it’s never something you own. Having my code analyser side project greatly lifted my own mood and productivity!
@5m00v
Hey mate! Honestly probably not but I think it’s a good learning project and involves a lot of interesting tangents such as the user/kernel mode boundary and how Windows works under the hood. The only novel thing I’ve seen in the past few years is the address sorting trick
@N1ckDunn
Yeah thanks mate you’ve borne the brunt of my mandatory lectures on what I’ve been doing and how it works under the hood 😂 appreciate it mate the support and the ideas, and endless enthusiasm for it it all helps me keep going! I should give
@NullMode_
a shout out too for bearing
@domchell
@modexpblog
And as a peek at our gitlab shows the fun has only just begun! So many more ideas for extensibility, opsec and evasion and features in the pipeline!
I had an idea for
@wsastsupport
- I might write a “parser” that allows you to specify language components in a regex form (how to extract a class name, method, statements, expressions, etc.) and have wSAST look up based on the source file extension how to do this “light” form of
Just want to give a shout-out to
@hackedpodcast
these guys make cybersecurity highly entertaining and can tell a great story! Definitely one of my favourite podcasts in the space.
I don’t tweet often but this book deserves a shout: Engineering a Compiler by Keith Cooper and Lisa Torczon. It’s so well written that reading it made me wonder why I ever struggled to understand parsing algorithms! Engineering a Compiler
@techspence
It’s not exactly an EDR but
@morphisec
have some interesting ideas and are steering things more in the direction I’d like to see them go (from the perspective of actually making half an effort to trap malicious code)
@rad9800
@domchell
@C5pider
Oh we have some great stuff coming in 0.2.1! As for sleep encryption we have a handful of alternative approaches not yet integrated, and some bypasses for the existing detection ideas for tp timers and waits. I don’t see us running out of ideas any time soon! 😎
In our final blog post of 2020,
@modexpblog
catalogues a variety of methods for bypassing user-mode hooks for red teams We'll be back in 2021....
#happynewyear
New episode! Patriotic hackers, the Chinese military, industrial espionage, online heists, and the civilian side of China’s hacking program. This is the story of Wicked Rose, the Network Crack Program Hacker Group & part two of our China hacking series.