FUD UAC Bypass on an MDE Protected Endpoint via Profiling DLL
“The .NET Framework can be made to load a profiling DLL or a COM component DLL via user-defined environment variables and CLSID registry entries, even when the process is elevated. This behavior can be exploited to bypass UAC in default settings on Windows 7 to 10.” Our team is quite impressed with the amount of operationalized counter cyber intelligence (CCI) we are able to distill from our data, after the Cyber Fist search upgrade. MDE has done a pretty good job mitigating UAC bypasses but we were able to use a technique found using Cyber Fist that ran FUD. Full details can be found below: Blog1: https://3gstudent.github.io/Use-CLR-to-bypass-UAC Blog2: https://offsec.almond.consulting/UAC-bypass-dotnet.html #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam 5/16/2021 DLL Function Proxying*DLL Function Proxying* I started playing with this technique after finding a fair bit of intel within our dataset, while testing our new search interface (internal tool). For those that aren’t familiar with this vector, a malicious dll replaces the functionality of a legitimate dll, proxying legitimate functionality and executing malicious code (in this case shellcode). While we did test this on an MDE protected endpoint, some assumptions were made. FileZilla client (latest version) would have to be installed and a UAC bypass needed to access program files. Regardless, the point was just to investigate how function proxying works so that a more comprehensive vector could be developed.
SharpDllProxy: https://github.com/Flangvik/SharpDllProxy #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam 5/9/2021 Cyber Fist: Fuzzy Search*Building New Data Tool: Cyber Fist* Cyber Fist adds fuzzy search capability across a big chunk of our dataset. While still in early development, it’s clear how much additional knowledge it can unlock which until now, has been buried deep inside our Neo4j dataset. Cyber Fist will integrate with our automation’s Hunter module, allowing for simultaneous research and the reshaping of data. It’s funny how crisis can fuel critical innovation as that was the case here.
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam |