tasty pepperoni

Stateful Connection With Spoofed Source IP — NetImpostor Gain another host's network access permissions by establishing a stateful connection with a spoofed source IP github.com/tastypepperoni…

Run your user land code as WinTcb, by @tastypepperoni #redteam tastypepperoni.medium.com/running-exploi…

Dump PPL protected Lsass.exe process with PPLBlade, by @tastypepperoni #redteam tastypepperoni.medium.com/bypassing-defe…

@M_haggis Great work on detections! About the location, from where the driver was loaded, it can be easily bypassed with --driver option. You can specify the location and the filename of the driver with it. So, we can't rely on that method alone

Most will need to register a service which is pretty standard. In this case - EventCode 7045. Do some hunts, you'll realize most drivers load from pretty standard locations. When something new loads outside of those paths - 👀👀👀

PPLBlade 🗡️ is not the first to incorporate a driver 🛠️ in order to disable or evade controls 🚫. How can we effectively monitor 🖥️ such activities across multiple endpoints 🔍 and on a larger scale 📊? Let's explore some analytic ideas using Sysmon, Aurora and WinEventLogs📈.

@rolphin @Sam0x90 @abhijithbr nt authority\system level shell can be started, if you're an admin(using psexec for example). You're still going to have SeDebugPrivilege there.

@Sam0x90 @abhijithbr @tastypepperoni About prevention: what about removing the SeDebugPrivilege from admin group ? (Leave it to a specific admin group without members until needed ?)

Did some experiments on bypassing PPL Protection and Windows Defender, to dump LSASS. No detections so far! @tastypepperoni's PPLBlade repo: github.com/tastypepperoni… My short write-up: tacticaladversary.io/adversary-tact… #adversarytactics #redteam #tacticaladversary #PPLBlade

@_Kudaes_ @theluemmel Again, specific conditions might exist, but these kinds of conditions are in every bypass, vulnerability, etc. We come to the basic baseline: There's a prevention mechanism, to prevent access to PPL. You still get access to the PPL, you invalidate the prevention. Simple as that.

@tastypepperoni @theluemmel From kernel you are allowed to interact with any process, including PPL. In order to call something a bypass (imho) it is required to be something preventing you from doing so, which is not the case once the driver is loaded.

Lsass Dump against Defender for Endpoint - check Thanks @tastypepperoni github.com/tastypepperoni…

@_Kudaes_ @theluemmel On default configurations, bypass works. So I don't think there's a problem with terminology here.

@theluemmel @tastypepperoni That's an alive debate rn, but imo there is already a security boundary, which is that you need SeLoadPrivilege to load a (digitally signed) driver. Once that's done, I don't see the PPL bypass. I see it more like why tf the EDR allows a random binary to load PS's driver xD

@_Kudaes_ @theluemmel Sure, there can exist mitigations to prevent you from doing this, and yes, IF those mitigations are present, then there is no bypass. But this "IF" can exist in every exploit, every vulnerability, every bypass. This does not mean that we should not call it its name.

@_Kudaes_ @theluemmel Whether this is exploit/vulnerability can be debated, sure. But when it comes to the term "bypass", i think the tool fulfills the term definition. The Defense mechanism(PPL) is there, to prevent you from doing something, yet you accomplish your malicious goal.

@theluemmel @tastypepperoni This is MS's AV, not MDE (EDR). And I would not consider that bringing your own kernel driver is a PPL bypass, It is the intended behaviour! Maybe I'm missing something here 🙃

@theluemmel @techspence Don't forget to add the obfuscation option if the host, running SMB is defended by Windows Defender as well. SMB machine's Defender will detect the dump file as well and delete it. Turn on the obfuscation to exfil the obfuscated version, so the new Defender will leave it alone.

@techspence @tastypepperoni Did you try to directly exfil it via smb?

Ran into a problem while trying to compile @tastypepperoni's PPLBlade: github.com/tastypepperoni… The rootcause is compiling go stuff on linux for windows so it runs into errors. However you can do it like this: OOS=windows GOARCH=amd64 go build -o bin/pplblade.exe Et voila :)

Bypassing Defender’s LSASS dump detection and PPL protection In Go github.com/tastypepperoni…

RunAsWinTcb uses an userland exploit to run a DLL with a protection level of WinTcb-Light github.com/tastypepperoni… #infosec #cybersecurity #redteam #pentest #pentesting #hacking #hackers #coding #opensource #Linux #DFIR

Running Exploit As Protected Process Ligh From Userland reddit.com/r/redteamsec/c… #redteamsec

Running Exploit As Protected Process Ligh From Userland github.com/tastypepperoni…