​Parent PID Spoofer / injector: Inject into ApplicationFrameHost.exe UNDETECTED by MDE Automation but offensive behavior articulated in MDE device timeline. REALITY: A human defender regularly checking MDE device timeline would be all over this tradecraft. Regardless, as usual, I learned a lot by playing with the tradecraft for myself.  

 

Parent PID Spoofing in C# (Used in video):

​https://github.com/mvelazc0/defcon27_csharp_workshop/blob/master/Labs/lab8/1.cs 
 

 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam 

​Leaking Kernel Memory from User Space Using NtQuerySystemInformation as a Low Priv User

I read an interesting blog (found below) on exploiting an Arbitrary Write NULL vulnerability which utilized NtQuerySystemInformation as a low privilege user to leak SYSTEM addresses/pointers (handle information). Finding this interesting, I turned to ASATA to see how prevalent this API call was in privilege attacks - extremely! Now I wanted to test this for myself, I wanted to see how a low privileged user could access kernel memory (handle/object data) from user space, using NtQuerySystemInformation and the SYSTEM_HANDLE_INFORMATION structure.
 
I used ASATA to search for some suitable called versions of NtQuerySystemInformation (either in CPP or C#), finally settling on a function found in Jean-Francois’s SharpHandler (found below). After creating my binary, I had a look at what MDE saw and interestingly enough, there was a benign warning for anomalous memory allocation "NtProtectVirtualMemory," but no alerts (possible detection opportunity for this kind of attack). Knowing that I hadn't imported this function, it looks like NtQuerySystemInformation calls NtProtectVirtualMemory to change memory permissions and allow access from user space to kernel memory. I tried to confirm this with WinDBG but it is almost unusable since upgrading to Windows 11 – buggy!
 
In the video I show you how I rapidly investigated the prevalence of this technique, quickly assembling a binary utilizing ASATA’s ability to search over a million offensive functions, show the results of my binary contrasted against ProcessHacker and then have a look at the binary in MDE's timeline.
 
Write Null (blog): https://wafzsucks.medium.com/hacksys-extreme-vulnerable-driver-arbitrary-write-null-new-solution-7d45bfe6d116
 
Listing Open Handles and Finding Kernel Object Addresses (Blog): https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/get-all-open-handles-and-kernel-object-address-from-userland
 
SharpHandler: https://github.com/jfmaes/SharpHandler
 
Undocumented SYSTEM_HANDLE_INFORMATION: https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/sysinfo/handle.htm
 
 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

*New Signal: Visual Studio Cobalt Strike BOF Template - Visualized by ASATA* ASATA has become interested (because of growing human momentum) and ingested a repo (securifybv/Visual-Studio-BOF-template) which streamlines the offensive extensibility of Cobalt Strike through templating Beacon Object Files, or BOFs. ASATA has profiled Windows functions and parameters within these templates and example code by MITRE ID type, articulating the different offensive behaviors they represent. The recent (~1 year) trend of porting Windows tradecraft to BOFs is making tradecraft more accessible to less sophisticated operators – this repo exemplifies that. Some of the very same COM interfaces we have been investigating (based on ASATA offensive trend analytics) have been put into this template’s example functionality. Something we learned while investigating this repo is the ability to utilize a COM interface (IAppIdPolicyHandler) to enumerate AppLockerPolicy, instead of PowerShell Get-AppLockerPolicy.  This is actually a quite obscure tactic (in our dataset anyway) as we only show one instance of it while searching across a million offensively called Windows functions.
 
BOF Templates: https://github.com/securifybv/Visual-Studio-BOF-template
 
AppLocker Policy Enumeration in C (Blog): https://ntamonsec.blogspot.com/2020/08/applocker-policy-enumeration-in-c.html
 

 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

CoCreateInstance is a pivotal API in the creation of COM objects. When used maliciously and with various parameters (referencing different interfaces), functionality that resides in things like TaskScheduler, BITS, WMI, etc can be accessed via COM and used for things like persistence and privilege elevation. Below, some links to the documentation for the interfaces we see accessed frequently in offensive tools.
 
ITaskScheduler: https://docs.microsoft.com/en-us/windows/win32/api/mstask/nn-mstask-itaskscheduler
 
IFileOperation: https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nf-shobjidl_core-ifileoperation-copyitem
 
IBackgroundCopyManager: https://docs.microsoft.com/en-us/windows/win32/api/bits/nn-bits-ibackgroundcopymanager
 
IWbemLocator: https://docs.microsoft.com/en-us/windows/win32/api/wbemcli/nn-wbemcli-iwbemlocator
 
Creating an Object with COM:
https://docs.microsoft.com/en-us/windows/win32/learnwin32/creating-an-object-in-com
 
HD Video: https://youtu.be/T6wLOVepnAA
 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

Rabbit Hole: Looking into COM-Hijacking, I got lost down a rabbit hole and learned some cool things about CoCreateInstance which is utilized within offensive tooling to load COM objects and also access WMI functionality. In this video I will be using the analysis tools WinDbg, ASATA & ProcMon to check out some aspects about offensive COM usage.
 

1. I started exploring the signal: SolomonSklash/COM-Hijacking which targets Windows binary getmac.exe.(https://github.com/SolomonSklash/COM-Hijacking)
2. getmac.exe initially looks for COM Object CLSID: 4590F811-1D3A-11D0-891F-00AA004B2E24 first in registry key HKCU, then moves onto HKCR (here is the hijacking opportunity).
3. Navigating to HKCR, a sub entry of InprocServer32 loads a binary object wbemprox.dll (this is the legitimate dll which can have its functions proxied by an implant dll).
4. I wanted to watch getmac.exe call CoCreateInstance so I set a breakpoint in WinDbg and looked for a CLSID match of: 4590F811-1D3A-11D0-891F-00AA004B2E24 (the COM object above being searched for in the registry keys). (https://docs.microsoft.com/en-us/windows/win32/api/combaseapi/nf-combaseapi-cocreateinstance)
5. With ASATA, I’m able to search 1,000,000+ offensively called, Windows functions and parameters, so I wanted to see how prevalent CoCreateInstance is within offensive tooling and how it is being called.
6. This finally led to exploring how to access WMI through COM and exploring the IWbemLocator interface. (https://docs.microsoft.com/en-us/windows/win32/api/wbemcli/nn-wbemcli-iwbemlocator)

 
I’m hoping some of these linked resources can be useful jump-off points. Much more to explore…
 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam
​