Spiky Sabra

@AdiMahluf Sabra Sababa Kadabra ;)

@SpikySabra Sabra kadabra ;)

Spotlight function in MIOB Driver - InterlockedExchangePointer - Kernel API function allows to switch pointers for functions in other drivers, and maliciously (or defensively) hooks those drivers (rootkits) #kernel #IRP #driver #hook #maldev #offensive #security #BYOVD

Watch how MIOB blocks Kernel-Cactus from exploiting vulnerable drivers (video) - at the video you can see Kernel-Cactus stealing the SYSTEM token and implementing it within the new cmd.exe instance. MIOB Driver prevents exploitation using IRP monitoring

@gentilkiwi your banner always looks so nice for demos 😎

Thread hijacking, it's simple, its magic. What if we could give it a wierd twist that is somehow less detected? How can we loose some API calls that relate to changing instruction pointer while using a vulnerable driver? How do you inject an EDR? spikysabra.gitbook.io/kernelcactus/p…

#maldev #driver #byvod #exploit #redteam #blueteam #infosec #vulnerable #malware #research

#byvod #maldev #redteam #infosec #cve #Driver #vulnerability #Exploit #git #kernel

So we showed you how we use vulnerable drivers to steal tokens for a new process. That is obviously not enough. How about editing your current process token? Check this: spikysabra.gitbook.io/kernelcactus/ github.com/SpikySabra/Ker…

@alexsho71327477 @Archib4 @francisacer1 @GabrielLandau For example in logon type 3 , no creds are saved in the machine , and as such any lateral movement you will try to make would require creds.

@Archib4 @SpikySabra @francisacer1 @GabrielLandau i doubt that task in token. i until not view responce how duplicated token can not work. DC credentials probably bind to logon session. but when we duplicate token - the logon session id not changed

Access tokens are the beating heart of a process. stealing tokens is an important method attackers need in order to escalate their privileges. What if you could steal both local and AD tokens with one command line? Well..now you can ! Check this out : spikysabra.gitbook.io/kernelcactus/

@alexsho71327477 @francisacer1 @GabrielLandau A duplicate token might require a new TGT for actions outside of the machine. For example.

@SpikySabra @francisacer1 @GabrielLandau in which concrete case code with duplicated token can fail ?

@CervenPavol @alexsho71327477 @GabrielLandau Thank you Pavol. We would love to hear from our users on how to improve our tool. Any issues would be gladly looked upon.

@SpikySabra @alexsho71327477 @GabrielLandau I did some tests with Win 11. No crashes. I found only problem with --etw. When I disabled Windows Defender then it works anyway (tried copy some malware sample). Other things worked nice and I tried almost all parameters. Nice work!

@francisacer1 @alexsho71327477 @GabrielLandau Well, there are plenty of edge cases, depends also on the logon type . But mostly in order to perform lateral movement you must validate session and cached credentials ,while using the same token value mostly takes care of things. Also we believe it's more stealthy.

@SpikySabra @alexsho71327477 @GabrielLandau hmm usually when I impersonated domain admin token it was valid to do actions like creating new accounts on domain or am I missing something

@pat_mayer @codex_tf2 You are correct as well. Pros and cons like all in life. With that being said, we made sure the service would never come back. You check the section regarding destroying a service 😎

@SpikySabra @codex_tf2 Killing it would also mean that the defender can’t contain the host or execute any remote command and just like you say, more damage can be done during that time !! If the host goes back online, everybody will focus on the host, what happen etc etc etc

A lot has been said about removing hooks and kernel callbacks to stop an EDR from detecting malicious activity. What if we could terminate the process completely? Well ...we can. Check this out: spikysabra.gitbook.io/kernelcactus/

@CervenPavol @alexsho71327477 @GabrielLandau Thank you @CervenPavol , indeed it worked for us on Win 11 as the kernel structure is still very similar to win 10 In many ways

@alexsho71327477 @GabrielLandau @SpikySabra Your work with BYOVD is interesting. Not only gain privileges but run process like PP or PPL. Another very interesting thing is possibility "downgrade" PP or PPL process to normal process and then dump it or debug it. Did you try it with Win 11?

@alexsho71327477 @GabrielLandau Well.. instead of creating a new token object , we re use the value of an existing one. Using less API calls = less detections. Also, when you duplicate tokens in a domain environment, they are not valid for actions outside of your machine, while using this method they are valid

@GabrielLandau @SpikySabra yes, this is correct way. also we can create token yourself, after get SeCreateTokenPrivilege. for what here driver (which at first need have and sign) unclear for me

@codex_tf2 We agree completely! And yet the possibility is scary. A malicious adversary that is going "guns blazing" would not care about a red flag though... Sometimes a few seconds without EDR is all it takes to make serious damage.

@SpikySabra killing the EDR is risky tho, if they have any way of detecting it and it flags thats a HUGE red flag. That and ive seen friends who werent allowed to totally kill the EDR due to ROE

#maldev #kernel #exploit #cve #vulnerabilities #redteam #malware #infosec #driver #tokens

@GabrielLandau In our point of view, the arbitrary read / write IOCTLS are more dangerous then others, since they expose the attacker to endless possibilities

@SpikySabra You can also use Backstab, which uses a vulnerable Microsoft driver: github.com/Yaxser/Backstab