​Leaking Kernel Memory from User Space Using NtQuerySystemInformation as a Low Priv User

I read an interesting blog (found below) on exploiting an Arbitrary Write NULL vulnerability which utilized NtQuerySystemInformation as a low privilege user to leak SYSTEM addresses/pointers (handle information). Finding this interesting, I turned to ASATA to see how prevalent this API call was in privilege attacks - extremely! Now I wanted to test this for myself, I wanted to see how a low privileged user could access kernel memory (handle/object data) from user space, using NtQuerySystemInformation and the SYSTEM_HANDLE_INFORMATION structure.
 
I used ASATA to search for some suitable called versions of NtQuerySystemInformation (either in CPP or C#), finally settling on a function found in Jean-Francois’s SharpHandler (found below). After creating my binary, I had a look at what MDE saw and interestingly enough, there was a benign warning for anomalous memory allocation "NtProtectVirtualMemory," but no alerts (possible detection opportunity for this kind of attack). Knowing that I hadn't imported this function, it looks like NtQuerySystemInformation calls NtProtectVirtualMemory to change memory permissions and allow access from user space to kernel memory. I tried to confirm this with WinDBG but it is almost unusable since upgrading to Windows 11 – buggy!
 
In the video I show you how I rapidly investigated the prevalence of this technique, quickly assembling a binary utilizing ASATA’s ability to search over a million offensive functions, show the results of my binary contrasted against ProcessHacker and then have a look at the binary in MDE's timeline.
 
Write Null (blog): https://wafzsucks.medium.com/hacksys-extreme-vulnerable-driver-arbitrary-write-null-new-solution-7d45bfe6d116
 
Listing Open Handles and Finding Kernel Object Addresses (Blog): https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/get-all-open-handles-and-kernel-object-address-from-userland
 
SharpHandler: https://github.com/jfmaes/SharpHandler
 
Undocumented SYSTEM_HANDLE_INFORMATION: https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/sysinfo/handle.htm
 
 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

*New Signal: Visual Studio Cobalt Strike BOF Template - Visualized by ASATA* ASATA has become interested (because of growing human momentum) and ingested a repo (securifybv/Visual-Studio-BOF-template) which streamlines the offensive extensibility of Cobalt Strike through templating Beacon Object Files, or BOFs. ASATA has profiled Windows functions and parameters within these templates and example code by MITRE ID type, articulating the different offensive behaviors they represent. The recent (~1 year) trend of porting Windows tradecraft to BOFs is making tradecraft more accessible to less sophisticated operators – this repo exemplifies that. Some of the very same COM interfaces we have been investigating (based on ASATA offensive trend analytics) have been put into this template’s example functionality. Something we learned while investigating this repo is the ability to utilize a COM interface (IAppIdPolicyHandler) to enumerate AppLockerPolicy, instead of PowerShell Get-AppLockerPolicy.  This is actually a quite obscure tactic (in our dataset anyway) as we only show one instance of it while searching across a million offensively called Windows functions.
 
BOF Templates: https://github.com/securifybv/Visual-Studio-BOF-template
 
AppLocker Policy Enumeration in C (Blog): https://ntamonsec.blogspot.com/2020/08/applocker-policy-enumeration-in-c.html
 

 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

CoCreateInstance is a pivotal API in the creation of COM objects. When used maliciously and with various parameters (referencing different interfaces), functionality that resides in things like TaskScheduler, BITS, WMI, etc can be accessed via COM and used for things like persistence and privilege elevation. Below, some links to the documentation for the interfaces we see accessed frequently in offensive tools.
 
ITaskScheduler: https://docs.microsoft.com/en-us/windows/win32/api/mstask/nn-mstask-itaskscheduler
 
IFileOperation: https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nf-shobjidl_core-ifileoperation-copyitem
 
IBackgroundCopyManager: https://docs.microsoft.com/en-us/windows/win32/api/bits/nn-bits-ibackgroundcopymanager
 
IWbemLocator: https://docs.microsoft.com/en-us/windows/win32/api/wbemcli/nn-wbemcli-iwbemlocator
 
Creating an Object with COM:
https://docs.microsoft.com/en-us/windows/win32/learnwin32/creating-an-object-in-com
 
HD Video: https://youtu.be/T6wLOVepnAA
 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

Rabbit Hole: Looking into COM-Hijacking, I got lost down a rabbit hole and learned some cool things about CoCreateInstance which is utilized within offensive tooling to load COM objects and also access WMI functionality. In this video I will be using the analysis tools WinDbg, ASATA & ProcMon to check out some aspects about offensive COM usage.
 

1. I started exploring the signal: SolomonSklash/COM-Hijacking which targets Windows binary getmac.exe.(https://github.com/SolomonSklash/COM-Hijacking)
2. getmac.exe initially looks for COM Object CLSID: 4590F811-1D3A-11D0-891F-00AA004B2E24 first in registry key HKCU, then moves onto HKCR (here is the hijacking opportunity).
3. Navigating to HKCR, a sub entry of InprocServer32 loads a binary object wbemprox.dll (this is the legitimate dll which can have its functions proxied by an implant dll).
4. I wanted to watch getmac.exe call CoCreateInstance so I set a breakpoint in WinDbg and looked for a CLSID match of: 4590F811-1D3A-11D0-891F-00AA004B2E24 (the COM object above being searched for in the registry keys). (https://docs.microsoft.com/en-us/windows/win32/api/combaseapi/nf-combaseapi-cocreateinstance)
5. With ASATA, I’m able to search 1,000,000+ offensively called, Windows functions and parameters, so I wanted to see how prevalent CoCreateInstance is within offensive tooling and how it is being called.
6. This finally led to exploring how to access WMI through COM and exploring the IWbemLocator interface. (https://docs.microsoft.com/en-us/windows/win32/api/wbemcli/nn-wbemcli-iwbemlocator)

 
I’m hoping some of these linked resources can be useful jump-off points. Much more to explore…
 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam
​

*Module Overloading /Phantom DLL Injection: Totally Undetected by Defender for Endpoint* Our automation has noticed an interesting signature (NtCreateSection + SEC_IMAGE) trend over the last 12 months. Offensive Security Tools are leveraging a type of process hollowing called Module Overloading, or Phantom DLL Injection which have OpSec advantages like using a payload with legitimate file backed memory; in this case a Microsoft signed module (BingOnlineServices.dll). Another operator advantage is negating the use of classic +RWX memory protections, instead assuming the protections of the legitimate dll. Below you can find some OST’s we are tracking that leverage the NtCreateSection API call + SEC_IMAGE flag.
 
process_ghosting: https://github.com/hasherezade/process_ghosting
 
process_doppelganging: https://github.com/hasherezade/process_doppelganging
 
phantom-dll-hollower-poc: https://github.com/forrest-orr/phantom-dll-hollower-poc
 
DInvoke: https://github.com/TheWover/DInvoke
 
Blog Post: https://www.forrest-orr.net/post/malicious-memory-artifacts-part-i-dll-hollowing
 
 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

​*Proxy Command Execution/DLL Injection Via SyncAppvPublishingServer.vbs > PowerShell > rundll32 > Bad.dll vs Microsoft Defender for Endpoint* This builds off a post I did yesterday, a colleague of mine () commented and asked about the above vector and endpoint detections. I tested the above vector without MDE protection just to see the mechanics and then secured with MDE. You can find the resources I used to facilitate this attack, below.
 
DLL: https://github.com/mvelazc0/defcon27_csharp_workshop/blob/master/Labs/lab6/ShellcodeInjectionDll/ShellcodeInjection.cpp
 
 
SyncAppvPublishingServer.vbs: https://mp.weixin.qq.com/s/Ud7TbeMJb8fsRlaGHWhBww
 
 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

*PANDEMIC Counter Cyber Intelligence Automation* Neo4j – Elastic – Custom Automation - Our next generation product ASATA will be powered by PANDEMIC counter cyber intelligence automation. We have put together a bit of a video to showcase some of the backend capabilities as we are using it to apply for a cyber security accelerator, cohort intake this fall. I thought it would be cool to share this information with our awesome followers as well. We really do appreciate all of you!! Great things are coming very soon!!
 
(Whitepaper): https://www.cybermongol.ca/uploads/1/1/9/8/119816416/cyber_mongol_counter_cyber_intelligence.pdf
 

#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam
 

FUD UAC Bypass on an MDE Protected Endpoint via Profiling DLL

“The .NET Framework can be made to load a profiling DLL or a COM component DLL via user-defined environment variables and CLSID registry entries, even when the process is elevated. This behavior can be exploited to bypass UAC in default settings on Windows 7 to 10.” Our team is quite impressed with the amount of operationalized counter cyber intelligence (CCI) we are able to distill from our data, after the Cyber Fist search upgrade. MDE has done a pretty good job mitigating UAC bypasses but we were able to use a technique found using Cyber Fist that ran FUD. Full details can be found below:
 
 
Blog1: https://3gstudent.github.io/Use-CLR-to-bypass-UAC
 
 
Blog2: https://offsec.almond.consulting/UAC-bypass-dotnet.html
 
 
 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam
 
 
 

*DLL Function Proxying* I started playing with this technique after finding a fair bit of intel within our dataset, while testing our new search interface (internal tool). For those that aren’t familiar with this vector, a malicious dll replaces the functionality of a legitimate dll, proxying legitimate functionality and executing malicious code (in this case shellcode). While we did test this on an MDE protected endpoint, some assumptions were made. FileZilla client (latest version) would have to be installed and a UAC bypass needed to access program files. Regardless, the point was just to investigate how function proxying works so that a more comprehensive vector could be developed.
 
 
SharpDllProxy: https://github.com/Flangvik/SharpDllProxy
 

#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

​*Building New Data Tool: Cyber Fist* Cyber Fist adds fuzzy search capability across a big chunk of our dataset. While still in early development, it’s clear how much additional knowledge it can unlock which until now, has been buried deep inside our Neo4j dataset. Cyber Fist will integrate with our automation’s Hunter module, allowing for simultaneous research and the reshaping of data. It’s funny how crisis can fuel critical innovation as that was the case here.
 

#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

​*Warning CVE-2021-26868 Publicly Available Exploit Code* Our Counter Cyber Intelligence (CCI) Automation has just ingested exploit code that targets a Windows Graphics Component and injects shellcode into winlogon.exe, resulting in SYSTEM level privilege escalation. Below, we test the base exploit (injects cmd.exe) and then modify it to inject a Covenant C2 implant with SYSTEM-level integrity. Microsoft has released a patch for this vulnerability Mar. 9th and can be found in the follow-on resources below.
 
Exploit: https://github.com/mavillon/CVE-2021-26868/blob/main/CVE-2021-26868/exp/exp.cpp
 
MS Security Guidance: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26868
 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

​*Exploiting CVE-2021-26415 on Windows 10 for Privilege Escalation* Working with an interesting vector today which leverages crafting a malicious .msi package and utilizes a symlink attack, resulting in the creation of a new local user and adding them to the local administrators group. The user creation is triggered when someone launches an administrative PowerShell session and the command (net user FooBar P@ssw0rd /add ; net localgroup Administrators FooBar /add ) is loaded from “C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1”. This vector has been patched by Windows updates on 2021-04-13. All pertinent info can be found below:
 
PoC Author writeup: https://www.cloaked.pl/2021/04/cve-2021-26415/
 
BaitandSwitch Tool: https://github.com/googleprojectzero/symboliclink-testing-tools
 
Privileged File Operation Abuses: An introduction to privileged file operation abuse on Windows - Almond Offensive Security Blog
 
 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

​Both failure and experimentation have been instrumental in developing my offensive tradecraft skills. While not a red teamer by trade (I am an intelligence tool builder), being able to recreate tradecraft has always been important, validating the signals being generated from the automation that I build. One facet of our cyber intelligence, or counter cyber intelligence (CCI) to be more specific, are the detailed mappings of social structures within the commoditized exploit tool ecosystem. These data structures have the ability to anticipate which exploit tools and tradecraft may be combined with another, possibly being disparate at a surface glance but connected within our dataset by way of social, developer or technical relationships. It is these possible tradecraft combinations that then fuel our experimentation to ground-truth how the signals would behave if combined together. This writeup has been fueled by just such a scenario as we explore building a dropper that can bypass UAC (User Account Control) and persist through WMI, turned into shellcode and injected into a remote process. Testing was conducted on a Windows 10 box and with MDE (Microsoft Defender for Endpoint) installed, BlockMode and Automated Investigations enabled. While the attack was fully executed, MDE automated investigations caught up with us and eventually killed our fun. This is the story.
 
Lately, we have been zeroing in on a part of the kill chain that transpires right after an initial access event (like malicious macro downloads payload) has taken place and then finishing right before lateral movement. It is within this scope that we will operate for this writeup and build a dropper that will automate all aspects of the attack. Three months ago, many of our signals related to UAC bypass ran FUD (fully undetected) when tested on endpoints protected by MDE. As of late, Microsoft has stepped up their detection game and getting a FUD UAC bypass on an MDE protected endpoint, is difficult. In an attempt to combat this newfound blue team’s strength, we decided to build our exploitation logic so that it could be turned into shellcode via donut.exe (“Generates position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory”) and injected into various processes. Ultimately, the injected offensive logic is able to download additional payloads, bypass UAC, install WMI persistence and callback to Covenant C2 as NT AUTHORITY\SYSTEM. 

​

​Slippery.exe:
Slippery.exe’s primary purpose is to be turned into shellcode and injected into WmiPrvSE.exe, via process hollowing. It’s exploit logic is that of a dropper / UAC Bypass which executes an attack chain, culminating in SYSTEM level persistence. Let’s walk through some of its code.

​Slippery.exe Functionality:
Slippery.exe establishes HTTPS connections with ngrok and leverages the curl.exe binary found preinstalled in Windows 10, to download its payloads.

1. Using the command "ngrok http file:///C:\Users\user\Downloads" exposes an attacker's local file system (housing payloads to be downloaded) and makes payloads accessible from the public internet.
2. The https address that is created for the ngrok tunnel is then put into the C# code as a process start argument for curl.exe.
3. The process curl.exe is created with “process.StartInfo.WindowStyle = ProcessWindowStyle.Hidden” to specify not to create a window with the starting of the process.

File Drops:
Slippery.exe has two defined download paths where it will drop files to disk:

1. C:\Users\Public
2. C:\Windows\System32\spool\drivers\color

Slippery.exe itself is executed within C:\Users\Public\Downloads, additionally downloading the file ClipEvent.ps1 to the same directory and then dropping files fontdrvx64.exe and wscRGB.ps1 to a user writeable folder contained within C:\Windows\System32\spool\drivers\color\. The files fontdrvx64.exe and wscRGB.ps1 are the persistence payloads that are called by a WMI event subscription, which we will describe below. The thinking here was that if our UAC bypass was flagged (but not blocked from executing), MDE would articulate all associated processes, files and corresponding locations, triggering a human investigation of the affected items. In order to try and deceive the investigators and keep the persistent C2 channel active, Slippery.exe tries to break that clear investigation linkage by downloading the initial stages to the first path, downloading the persistence payloads to the second path and then attempting to obfuscate their execution relationship which will also be discussed below. Choosing the user writable subfolder within system32 was a good hiding spot before, but is now detected by MDE and in our case, initiated an automated investigation that inevitably led to the automation discovering and neutralizing the persistence payloads. The irony wasn’t lost on us that in actuality, it was this automated investigation that got us burned. Afterwards, I was thinking to keep all payloads together in Public\Downloads and then during WMI persistence execution (as SYSTEM), moving the WMI payloads into the protected folder to not raise the same alert. 

​The UAC Bypass:
Leveraging the native binary fodhelper.exe, Slippery.exe will bypass UAC by exploiting odd behaviors found within fodhelper.exe. This native binary is an "auto-elevated" binary and will look for additional process creation arguments, should certain registry keys exist. If those keys are created, fodhelper.exe will execute the command value which is contained within one of those keys (high-integrity context), thereby bypassing UAC. We wrote some very basic C# code to exploit this vulnerability which was based on trending vectors, articulated within our CCI dataset. The bypass code achieves the following:
​

1. Create subkey: CurrentUser\Software\Classes\ms-settings\Shell\Open\command
2. Set Value DelegateExecute: ""(blank)
3. Set Value (Default) "": C:\Users\Public\Downloads\ClipEvent.ps1
4. Start process fodhelper.exe with hidden window

Persistence & Hiding Execution Relationships:
So, this method was really about dismantling the forensic relationship between the initial execution and the persistence mechanism because we knew the UAC bypass method would get flagged. In the end, we were caught on the decision to write to a protected folder as an unprivileged user, coupled with the UAC bypass that indeed was flagged. None the less, we feel this strategy applied slightly differently could be highly effective and run FUD. The exploit logic for persistence will be discussed in two parts; the initial part that registers the persistence and then the second part which details what the persistence does.
 
Persistence Logic (ClipEvent.ps1):
To gain persistence on this endpoint ClipEvent.ps1 opted for an old favorite and that was a WMI event subscription. One difference here is that we decided not to use mofcomp.exe to register an event subscription as that vector is detected by MDE, now. Instead, we crafted a PowerShell approach which did the following:
​

1. Create an Event Filter for ProcessStartTrace on process rdpclip.exe
2. Create a CommandLineEventConsumer which would launch a PowerShell Script
3. Create FilterToConsumerBinding

​Persistence Payload Logic (wscRGB.ps1):
wscRGB.ps1 is a tiny script that is meant to start the process injector (fontdrvx64.exe) which injects Covenant C2 implant shellcode as NT AUTHORITY\SYSTEM. Its secondary function is to delete the initial files that were dropped to Public\Downloads.

​Execution Relationship Obfuscation:
Our idea was to download the first process injector (containing the UAC bypass) and the first ps1 script (responsible for WMI persistence) into Public\Downloads and the second injector (Covenant implant) and ps1 script (WMI payload for the CommandLineEventConsumer) into a user writable folder, within system32. The rationale was that if our UAC bypass was alerted on, investigators would have a harder time connecting the dots between it and the resulting process injection, stemming from a sub folder in system32 with no clear execution linkage. We broke up the execution relationship by not passing execution directly from the process responsible for bypassing UAC (Slippery.exe’s logic injected into WmiPrvSE.exe) and registering WMI persistence. Instead, Slippery.exe would initially kill process rdpclip.exe (in case it was already active) and then at the end of its logic, start rdpclip.exe which would then trigger the WMI permanent event subscription, therby firing the second injector connecting back to the C2 as SYSTEM. Remember, part of the WMI payload’s logic (wscRGB.ps1) was to delete ClipEvent.ps1 (registers the WMI event subscription) which would clearly articulate the directory of the WMI payload to be executed by the “CommandLineEventConsumer.” That being said, defenders could still see the resulting WMI payload location by inspecting tools such as ScriptBlock Logging or the AMSI content output in MDE (shown below). Additionally, due to the fact we got lit up for dropping a file to a protected folder which was user writeable, the automation was able to see the injected process (Dropper/UAC bypass) WmiPrvSE.exe now connected with the WMI payloads in system32 we were trying to obfuscate (also shown below).

Process Injector (Process Hollowing (fontdrvx64.exe & SM.exe))
For the injector we used a modified version of a payload discussed at Defcon 27, “Writing custom backdoor payloads with C#,” which can be found below. Both fontdrvx64.exe and SM.exe were identical injectors, except for the shellcode that they injected. SM.exe was responsible for injecting the initial dropper/UAC bypass and fontdrvx64.exe was the persistent injector hidden within “C:\Windows\System32\spool\drivers\color\, responsible for injecting the Covenant implant.”

(defcon27_csharp_workshop/2.cs at master · mvelazc0/defcon27_csharp_workshop · GitHub)

​Conclusions:
In this round of experimental testing, MDE really ate our lunch for us but we learned quite a bit. Some key takeaways are as follows:
 

1. C:\Windows\System32\spool\drivers\color\ is not a safe zone anymore
2. Accessing that protected folder after WMI execution (as SYSTEM) may have neutralized that alert
3. The creation of registry key: CurrentUser\Software\Classes\ms-settings\Shell\Open\command is heavily monitored by MDE and a great detection point for this specific UAC bypass
4. Use more reflection rather than on-disk payloads :)
5. As always, keep experimenting and have fun!

​*Why Regular Antivirus is not Enough: A Roll-Your-Own UAC Bypass vs Regular AV & MDE* Building a UAC bypass in C# that leverages fodhelper.exe and right off the bat, it bypasses regular AV. When executed against MDE, the bypass gets about two seconds of life. MDE detects on the behavior associated with changing the registry values which are needed for this bypass. It goes to show you why just regular AV isn’t enough these days. Some neat things coming up to try with this bypass, with the intent to get it to run FUD against the MDE. We jumped off these codes found below:
 
UAC bypass 1:
https://gist.github.com/netbiosX/a114f8822eb20b115e33db55deee6692
 
UAC bypass 2: https://github.com/0xyg3n/UAC_Exploit
 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

*C# Dropper: Attack Chain Fully Executed + Detailed Blue Perspective of the Attack Timeline (MDE BlockMode Auto Investigations)* We got the dropper almost there with only one detection on the UAC bypass which MDE wrongly classified as blocked. This itself was a bit of a battle as MDE completely blocks the stock UAC bypass from executing. The incident starts with the dropper assessing the executing process’s SID and escalating if not Administrator, dropping files to disk via ngrok (https), injecting shellcode for the first C2 callback in high integrity and then installing WMI persistence with ProcessStartTrace on WinStore.app.exe, which injects shellcode and calls back to the C2 as SYSTEM, every time the Windows store is launched. We modified and utilized the commoditized tooling found below (unmodified versions).
 
0xyg3n/UAC_Exploit: https://github.com/0xyg3n/UAC_Exploit
 
EDRGoesBrrr: https://github.com/NVISOsecurity/brown-bags/tree/main/DInvoke%20to%20defeat%20EDRs/DemoDInvokeLoader
 
donut: https://github.com/TheWover/donut
 
Covenant: https://github.com/cobbr/Covenant
 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

*C# Dropper, D/Invoke Direct System Calls + Shellcode Injection* Round 2 with an edited version of Jean-Francois Maes’s code (EDRGoesBrrr) which utilizes the direct system call functionality. This functionality can be very broadly defined as retrieving a syscall number for a Windows function (located on disk from within ntdll.dll) and then placing that corresponding syscall number on the eax register and entering the kernel directly. By not having to use the Windows function located within ntdll.dll, it is possible to bypass EDR hooks that may be present in that corresponding function – you go underneath the EDR’s hooks in ntdll.dll. This was then added to the dropper I am working on which tested FUD against MDE (BlockMode and Automated Investigations enabled).
 
EDRGoesBrrr-source:https://github.com/NVISOsecurity/brown-bags/blob/main/DInvoke%20to%20defeat%20EDRs/DemoDInvokeLoader
 

*C# Dropper, D/Invoke Manual Mapping(ntdll.dll) + Shellcode Injection* After a really good talk by Jean-Francois Maes, I wanted to try his code’s functionality (EDRGoesBrrr) with a dropper that I’m working on. The dropper opens an HTTPS tunnel with ngrok, downloads an edited version of his injector which leverages D/Invoke to manually map ntdll.dll (avoiding any hooks) and then injects a Covenant implant into RDP clipboard monitor. I did use the NuGet package for D/Invoke which didn’t seem to cause any problems. No alerts in MDE but there was an informational warning in the timeline regarding the parent PID spoofing. Testing was done on MDE (BlockMode + Automated Investigation).
 
 
Talk (EDR Mechanics / Evasion Techniques): Defeating EDR's using D/Invoke - YouTube

 
EDRGoesBrrr(source):brown-bags/DInvoke to defeat EDRs/DemoDInvokeLoader at main · NVISOsecurity/brown-bags · GitHub
​

*Cyber Mongol’s Adversary Tradecraft Simulator (Faza Agent): Check Privs, Elevate to High, Impair Telemetry, DLL Inject C2 Implant (High), Persist WMI(SYSTEM)* The Faza Agent utilizes Cyber Mongol’s Counter Cyber Intelligence (CCI) to pull in real, on-trend, commoditized tradecraft that tests advanced defenses. Faza will be available as an integration for Microsoft for Endpoint’s Evaluation Lab and additionally, a standalone offering.

We are still working on the mechanics of the agent and fully expected that we’d get busted by the EDR, flagging on the UAC bypass we are using. Faza’s current functionality is to check the integrity level of the process, bypass UAC, inject Covenant grunt for 1st C2 channel, disable MDE telemetry, add persistence with a WMI event subscription and then connect back to the C2 as SYSTEM, when the event subscription is triggered (starting Win store process).

 Currently, Faza is in its infancy but I thought it would be interesting to share as we build it out.

​
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

​*Step 2 - Custom FUD Dropper in C#: Privilege Escalation Logic Added* Continuing the build on the dropper that can pull in commoditized tooling that our engine sees signals on, I wrote the logic that would assess the current SID and determine if the process was in medium or high integrity. If in medium, the logic branches off and downloads a UAC bypass (commoditized tooling) before it injects a Covenant grunt, resulting in a high integrity context. The dropper ran good against standard Defender AV (undetected) but was burned against MDE EDR (medium integrity injection still worked), which was to be expected. I still have some OpSec work to do on the dropper’s UAC bypass before it is ready to tackle the big dog (MDE EDR) and run FUD.
 

 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

*Custom FUD Dropper in C#: RED/BLUE Perspectives*I wrote a custom dropper in C# that reaches back to adversary infrastructure via ngrok, downloads a DLL injector, looks for and(or) starts rdpclip.exe and then injects a Covenant C2 implant into that process. The dropper ran completely undetected and even passed two cloud delivered security scans (“Your administrator requires a security scan”). Testing was conducted against the MDE stack (AV/EDR (BlockMode AutoRemediation)).
 
 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

*Trending LSASS Dumper Paired with ngrok Exfiltration* Sensors have been observing growing human momentum behind MirrorDump which is bound to a highly amplified social structure, directly connected to other significant and effective exploit tools – making adversary adoption of MirrorDump highly probable.  MirrorDump is an LSASS dumping tool that uses a dynamically compiled LSA plugin to grab a handle to lsass and API hooking for capturing the resulting dump in memory. We paired this with our ngrok dropper from a few days ago but MirrorDump is getting flagged for signature (AV) which we haven’t rectified yet. The video shows the functionality of the dropper, LSASS dumper and the exfil of the memory dump with no endpoint protections enabled and then with the full MDE stack. With a bit more work to evade signature detections, this could be an extremely effective vector. Lastly, this would need to be paired with a Privilege Escalation to dump LSASS (we just launched from admin).
 
MirrorDump: https://github.com/CCob/MirrorDump
 

 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

Part1: 

​*Custom Dropper Using ngrok to Expose Victim Filesystem over HTTPS* Without leveraging a high integrity context, the dropper is able to download ngrok (SmartScreen normally flags this binary) and executes it in a way that makes the file system, where it was executed, available publicly through an HTTPS tunnel. We used a VBS script to kick off the dropper, making it execute the .cmd file without an output window. GotIt.txt was just simulated data to be exfiltrated but this dropper will be paired with a trending LSA dump technique, in the coming days. Testing was against Microsoft Defender for Endpoint (BlockMode + Automated Investigations) - zero detections. Advanced adversaries such as APT33, APT34 and APT 39 (sub-group of APT34) use ngrok quite skillfully, in order to meet various objectives.

FoxKitten Campaign: https://lnkd.in/eNaYvuJ

#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

*Dropper to DLL Injection: Red / Blue* This is part of a larger attack-chain that I am building out and wanted to share along the way. As usual, the simulation begins right after an initial access event has transpired but before execution of the dropper. The dropper (requirements.cmd) then goes ahead and starts the rdpclip.exe process in case it’s not active, parses for the process’s PID, setup.exe injects a DLL (Covenant C2 grunt) into process rdpclip.exe and that process then reaches out to the C2. Planning to add to this – some PrivSec, impairing defenses, persistence and an obfuscated C2 infrastructure.
 
Microsoft Defender for Endpoint (EDR+BlockMode+AutomtedInvestigations) vs Dropper->Start rdpclip.exe->Find PID->DLL Injection(Implant(Medium))->rdpclip.exe->CovenantC2==Zero alerts but there is always evidence…let’s have a look.
 

 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

Today we setup an interesting simulation that tested Microsoft Defender for Endpoint in a standard deployment (without ASR but with things like BlockMode enabled), then tried out their new EvaluationLab where endpoints come hardened per Microsoft’s specs and also tested an unnamed IR team’s ability to detect based on their automation and hands-on-keyboard skills. 
​

Scenarios
After an extremely engaging conversation with a colleague who spent years in the intelligence service, I wanted to employ some of the real-world tactics that he had observed nation states utilizing. One thing that he said that really stuck with me was, “Most of the time [APTs] they will operate in Medium integrity,” as to only use as much privilege as needed to complete an objective. My colleague went on to explain that other times they will create “noise” elsewhere to distract from their real intention. It was these thoughts that inspired our testing today, we wanted to give the defense automation some exercise but also the humans that knew activity was coming and were on alert for it.
 
As with all Cyber Mongol simulations, we look to our CCI automation to let us know where there is human activity in the opensource or commoditized tradecraft ecosystem. We selected a PE injection which would memory map another process injector (utilizing callbacks) to inject a Covenant C2 implant into “c:\Windows\System32\manage-bde.exe,” which is the legitimate process for BitLocker. This would be our sneakiness to attempt to fool the skilled humans that were tasked to find us.
 
So now, if we are going to mimic the conversation I had with my colleague, we would need some loud and proud movements that would draw the human’s attention away from what we actually wanted to accomplish. We would basically try to accomplish the same goal stated above but in a high integrity context. For this we saw that UACME (very popular tradecraft for UAC bypass) had some recent additions and decided to use the following code, (https://github.com/hfiref0x/UACME/blob/master/Source/Akagi/methods/azagarampur.c). We were counting on the fact that because this tradecraft was added to a social structure with such a large social amplification, getting it noticed by the defenders would be relatively a sure thing – but also kill us for MDE automation.
 
Lastly, we wanted to test two flavors of Microsoft Defender for Endpoint. The first would be a more standard deployment with BlockMode and automated investigations enabled but not utilizing things like Attack Surface Reduction methods. The second test would be using Microsoft Defender for Endpoint’s EvaluationLab where all the defense bells and whistles are enabled by default.
 
 
Conclusions 
IR Team: The team did well at articulating the UAC bypass that injected a Covenant Grunt in high integrity but were unable to thoroughly convey our true intentions (medium integrity injection resulting in C2 comms through manage-bde.exe). They did see that the dropper interacted with the legitimate Bitlocker process from the suspect directory and reached out to our already burned IP address, instead of using something nice like proxying through an Azure/Microsoft domain.
 
Microsoft Defender for Endpoint Standard Deployment: In this configuration, Microsoft Defender for Endpoint was unable to block any execution but did articulate the UAC bypass and the PE re-mapping of manage-bde.exe. Ultimately, the automated investigation found the PE injection to be benign.
 
Microsoft Defender for Endpoint EvalutionLab Config: Full shutdown of our operation – zero execution. Well done!