using mimikatz driver to unhook antivirus on windows
play

Using Mimikatz driver to unhook antivirus on Windows Supervisor: - PowerPoint PPT Presentation

Sep 19, 2023 •141 likes •355 views

Using Mimikatz driver to unhook antivirus on Windows Supervisor: Cedric van Bockhaven Bram Blaauwendraad & Thomas Ouddeken Mimikatz Post exploitation tool created by Benjamin Delpy Administrative privileges required Used to extract

  1. Using Mimikatz’ driver to unhook antivirus on Windows Supervisor: Cedric van Bockhaven Bram Blaauwendraad & Thomas Ouddeken

  2. Mimikatz Post exploitation tool created by Benjamin Delpy Administrative privileges required Used to extract authentication information, such as: Passwords ○ Hashes ○ Smartcard PIN codes ○ Kerberos (ticket granting) tickets ○ Research Introduction Related work Methodology Unloading Unhooking Conclusions Question 2

  3. Mimidrv A signed driver in the Mimikatz toolkit ○ Can be used to read/write to kernel space memory ○ using Input/Output Control Messages (IOCTL) Extrapolate to other vulnerable drivers ○ Research Introduction Related work Methodology Unloading Unhooking Conclusions Question 3

  4. Antivirus Mini-filters Monitors/tracks file system data ○ Callback LoadImage ○ CreateThread ○ CreateProcess ○ CreateFile ○ Research Introduction Related work Methodology Unloading Unhooking Conclusions Question 4

  5. Implications Signed drivers with similar vulnerabilities ○ VirtualBox driver ○ Have legitimate uses ○ Research Introduction Related work Methodology Unloading Unhooking Conclusions Question 5

  6. Research Question Can the signed Mimidrv driver be exploited to render antivirus useless by unhooking callbacks in Windows? How can Mimidrv be used to arbitrarily read/write in ○ kernel space in Windows? How can arbitrary read/write capability in kernel ○ space be used to unhook antivirus callbacks in Windows? Research Introduction Related work Methodology Unloading Unhooking Conclusions Question 6

  7. Related work An in-depth article on Mimikatz’ inner workings by ○ Matt Hand Unsupported claims that unloading AV-driver is ○ possible on multiple blogs Book on inner workings of antiviruses by J. Koret ○ and E. Bachaalany Research Introduction Related work Methodology Unloading Unhooking Conclusions Question 7

  8. Methodology A host (debugger) and target (debuggee) ○ Windows 10 1912 and 1809 respectively ○ Virtual Machines (VMWare) ○ WinDbg over serial port ○ Focus on Windows Defender ○ Research Introduction Related work Methodology Unloading Unhooking Conclusions Question 8

  9. Unloading Conspicuous way of disabling antivirus Closing the process ○ However…. ○ Windows defender is a protected process ○ Research Introduction Related work Methodology Unloading Unhooking Conclusions Question 9

  10. Unloading: !process Doubly linked list containing process information PrimaryTokenFrozen ○ SignatureProtect ○ Protection ○ Research Introduction Related work Methodology Unloading Unhooking Conclusions Question 10

  11. Unloading Research Introduction Related work Methodology Unloading Unhooking Conclusions Question 11

  12. Unloading: succes Research Introduction Related work Methodology Unloading Unhooking Conclusions Question 12

  13. Unhooking callbacks Less conspicuous Challenges: Windows Kernel Patch Protection (KPP / Patchguard) ○ Avoiding other detection methods ○ Avoiding blue screen ○ Research Introduction Related work Methodology Unloading Unhooking Conclusions Question 13

  14. Unhooking callbacks Render callbacks useless For each callback, locate their address with Mimidrv ○ Verify that callback addresses lie within the AV-driver ○ using WinDbg Overwrite callback locations with opcode 0xC3 (RET) ○ Callbacks should now always return OK ○ Research Introduction Related work Methodology Unloading Unhooking Conclusions Question 14

  15. Unhooking callbacks example Research Introduction Related work Methodology Unloading Unhooking Conclusions Question 15

  16. Unhooking callbacks example Research Introduction Related work Methodology Unloading Unhooking Conclusions Question 16

  17. Unhooking callbacks example Research Introduction Related work Methodology Unloading Unhooking Conclusions Question 17

  18. Unhooking callbacks testing Testing is diffjcult AV do not only use mini-filters and callbacks ○ Check the hash of a program before it is executed ○ Heuristics and comparing code snippets ○ Research Introduction Related work Methodology Unloading Unhooking Conclusions Question 18

  19. Unhooking callbacks through driver Render callbacks useless IOCTL for reading/writing kernel memory already ○ present Mimidrv signed ○ Use this IOCTL to do the same as with WinDbg ○ Research Introduction Related work Methodology Unloading Unhooking Conclusions Question 19

  20. Conclusions Still some work to do, such as: Test our theories reliably ○ Perform the same methods using other drivers ○ Future work ○ Proof exploit in real world ○ Exploit enterprise-grade AV ○ Research Introduction Related work Methodology Unloading Unhooking Conclusions Question 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

mimikatz 2.0 Benjamin DELPY ` gentilkiwi ` Our little story `whoami`, why am I doing this?

mimikatz 2.0 Benjamin DELPY ` gentilkiwi ` Our little story `whoami`, why am I doing this?

mimikatz 2.0 Benjamin DELPY ` gentilkiwi ` Our little story `whoami`, why am I doing this? mimikatz 2.0 & sekurlsa Focus on Windows 8.1 et 2012r2 Kerberos & strong authentication Questions / Answers And of course, some demos during

970 views • 30 slides
AI in Antivirus What AI do in your antivirus Who I am? Arcangelo Saracino Student of Computer

AI in Antivirus What AI do in your antivirus Who I am? Arcangelo Saracino Student of Computer

AI in Antivirus What AI do in your antivirus Who I am? Arcangelo Saracino Student of Computer Science at Uniba Three years of experience in web development Cybersecurity and Linux appassionate Mail: saracinoarcangelo@gmail.com Outline

363 views • 18 slides
MIMIKATZ ;) Whoami Vincent LE TOUX @mysmartlogon Does this remind something to you? <Insert

MIMIKATZ ;) Whoami Vincent LE TOUX @mysmartlogon Does this remind something to you? <Insert

YOU TRY TO DETECT MIMIKATZ ;) Whoami Vincent LE TOUX @mysmartlogon Does this remind something to you? <Insert vendor> <Insert vendor> Busylight stops mimikatz! Busylight Dem o COMMON MISTAKE: MIMIKATZ IS NOT JUST ABOUT

1.02k views • 46 slides
Why Antivirus Software whoami IT-Security Consultant Doing pentesting since two years

Why Antivirus Software whoami IT-Security Consultant Doing pentesting since two years

Why Antivirus Software whoami IT-Security Consultant Doing pentesting since two years This talk is based on private research Before that experience as windows/linux/network admin, a little as web developer and so on...

1.06k views • 49 slides
Roadmap for Section 6.3 Driver and Device Objects I/O Request Packets (IRP) Processing Driver

Roadmap for Section 6.3 Driver and Device Objects I/O Request Packets (IRP) Processing Driver

Unit OS6: Device Management 6.3. Windows I/O Processing Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 6.3 Driver and Device Objects I/O Request Packets (IRP) Processing

477 views • 23 slides
Roadmap for Section 8.2 File Systems supported by Windows NTFS Design Goals File System Driver

Roadmap for Section 8.2 File Systems supported by Windows NTFS Design Goals File System Driver

Unit OS8: File System 8.2. Windows File Systems Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 8.2 File Systems supported by Windows NTFS Design Goals File System Driver

496 views • 34 slides
Ion slides 2 pc windows 10 driver download Moon gives a good business the last-named aspect

Ion slides 2 pc windows 10 driver download Moon gives a good business the last-named aspect

Ion slides 2 pc windows 10 driver download Moon gives a good business the last-named aspect operates in both the 7th and 8th houses; and h being lord of the 7th, and the J being afflicted by W , un- happiness in love-affairs and marriage would

262 views • 3 slides
Development of techniques to remove Kerberos credentials from Windows Systems. Nick Offerman

Development of techniques to remove Kerberos credentials from Windows Systems. Nick Offerman

Development of techniques to remove Kerberos credentials from Windows Systems. Nick Offerman Steffan Roobol 04-07-2019 Introduction Figure 1: Kerberos Protocol 2 Problem Figure 1: the LSASS process and Mimikatz. 3 Research Questions

520 views • 27 slides
Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box - Still GUI based - Still makes no sense - No start menu :( - (Install classic shell)... trust me... Windows Server What can it do? - Email

1.06k views • 37 slides
Driver Group plc Results for the year to 3 0 Septem ber 2 0 1 9 Driver Group plc 2 Business

Driver Group plc Results for the year to 3 0 Septem ber 2 0 1 9 Driver Group plc 2 Business

Driver Group plc Driver Group plc Results for the year to 3 0 Septem ber 2 0 1 9 Driver Group plc 2 Business Profile Driver is a global dispute resolution provider to a blue chip client base Driver Trett & Project Services Driver

388 views • 28 slides
Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple different versions of Windows 10 that support different features The version of Windows that we will be using is Enterprise edition This

973 views • 53 slides
Driver Group plc Results for the six months to March 2019 Driver Group plc 2 Business Profile

Driver Group plc Results for the six months to March 2019 Driver Group plc 2 Business Profile

Driver Group plc Driver Group plc Results for the six months to March 2019 Driver Group plc 2 Business Profile Driver is a global dispute resolution provider to a blue chip client base Driver Trett & Project Services Driver Trett

396 views • 27 slides
Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8 Heap Internals Who Chris Valasek (@nudehaberdasher) Sr. Research Scientist Coverity Tarjei Mandt (@kernelpool) Vulnerability

1.33k views • 91 slides
A starting point for ToR Vehicle has a driver Steering from Only vehicle systems Driver is able to

A starting point for ToR Vehicle has a driver Steering from Only vehicle systems Driver is able to

A starting point for ToR Vehicle has a driver Steering from Only vehicle systems Driver is able to control drive outside Driver Driver or driverless Driver No driver + ADAS ToR Section 1 ToR Section 2 ToR Section 3 Applicable framework?

583 views • 17 slides
Scalability Visibility Windows Update Certification [& Client] Intent: when

Scalability Visibility Windows Update Certification [& Client] Intent: when

Reliability WaaS Scalability Visibility Windows Update Certification [& Client] Intent: when Targeting should the driver Classification Signing and Ranking be offered? Who validations should receive it?

687 views • 31 slides
NHTSA Novice Driver Initiatives NHTSA Novice Driver Initiatives Driver Education Driver

NHTSA Novice Driver Initiatives NHTSA Novice Driver Initiatives Driver Education Driver

NHTSA Novice Driver Initiatives NHTSA Novice Driver Initiatives Driver Education Driver Education and and Graduated Licensing Graduated Licensing Thomas M. Louizou, Regional Administrator NHTSA Eastern Region May 10, 2007 Crash Rate by

246 views • 14 slides
CSCI 136 Data Structures & Advanced Programming Lecture 11 Spring 2018 Profs Bill &

CSCI 136 Data Structures & Advanced Programming Lecture 11 Spring 2018 Profs Bill &

CSCI 136 Data Structures & Advanced Programming Lecture 11 Spring 2018 Profs Bill & Jon Administrative Details Lab 4 A wrong version of LinkedList.java was posted on the course website. If you downloaded the file, please

329 views • 16 slides
Jetson TK1 Seminararbeit Benjamin Baumann Contents Field of Application Jetson TK1

Jetson TK1 Seminararbeit Benjamin Baumann Contents Field of Application Jetson TK1

Jetson TK1 Seminararbeit Benjamin Baumann Contents Field of Application Jetson TK1 GPU Basics Architecture CUDA Benchmark Performance Energy Efficiency Related Work Future Conclusion src:

442 views • 31 slides
PRECISION DRILLING CORPORATION Combination with Trinidad Drilling Ltd. October 5, 2018 | 1

PRECISION DRILLING CORPORATION Combination with Trinidad Drilling Ltd. October 5, 2018 | 1

*Rig 576, Loving County TX, Permian Basin PRECISION DRILLING CORPORATION Combination with Trinidad Drilling Ltd. October 5, 2018 | 1 Forward-looking Statements Certain statements contained in this presentation, including statements that

187 views • 14 slides
END-TO-END COMPARISON OF IR-LEVEL AND ASSEMBLY-LEVEL FAULT INJECTION Lucas Palazzi Co-authors:

END-TO-END COMPARISON OF IR-LEVEL AND ASSEMBLY-LEVEL FAULT INJECTION Lucas Palazzi Co-authors:

Practical Experience Report A TALE OF TWO INJECTORS: END-TO-END COMPARISON OF IR-LEVEL AND ASSEMBLY-LEVEL FAULT INJECTION Lucas Palazzi Co-authors: Guanpeng Li, Bo Fang, and Karthik Pattabiraman DEPART M ENT OF ELECT RIC AL AN D COM PUT ER

852 views • 56 slides
Optimizing APC Gopal Vijayaraghavan Zynga India gopalv@php.net July 29th, 2011 So, what's this

Optimizing APC Gopal Vijayaraghavan Zynga India gopalv@php.net July 29th, 2011 So, what's this

Optimizing APC Gopal Vijayaraghavan Zynga India gopalv@php.net July 29th, 2011 So, what's this talk about ? http://flickr.com/photos/frogmuseum2/238601344 A Retrospective http://www.flickr.com/photos/childofwar/3097124543/ What Changed?

474 views • 21 slides
VETERANS STAND DOWN 2019 OUTCOMES PRESENTATION BY SHALIMAR T. CABRERA EXECUTIVE DIRECTOR,

VETERANS STAND DOWN 2019 OUTCOMES PRESENTATION BY SHALIMAR T. CABRERA EXECUTIVE DIRECTOR,

VETERANS STAND DOWN 2019 OUTCOMES PRESENTATION BY SHALIMAR T. CABRERA EXECUTIVE DIRECTOR, U.S.VETS LAS VEGAS CHAIR, LAS VEGAS VETERANS STAND DOWN Las Vegas Veterans Stand Down 2019 PROGRAMMING : Client-centered approach Service

377 views • 14 slides
WELCOME TO OUR BUSINESS OPPORTUNITY PRESENTATION 1 www.jamalifehelpersglobal.com This Network

WELCOME TO OUR BUSINESS OPPORTUNITY PRESENTATION 1 www.jamalifehelpersglobal.com This Network

WELCOME TO OUR BUSINESS OPPORTUNITY PRESENTATION 1 www.jamalifehelpersglobal.com This Network Marketing company is new in Kenya, from Belgium. Its head office is in Nigeria Joining Fee = 650.00/kshs Bonus exchange rate is pegged at kshs125.00/$1 2

498 views • 16 slides
WELCOME TO OUR BUSINESS OPPORTUNITY PRESENTATION 1 www.jamalifehelpersglobal.com This Network

WELCOME TO OUR BUSINESS OPPORTUNITY PRESENTATION 1 www.jamalifehelpersglobal.com This Network

WELCOME TO OUR BUSINESS OPPORTUNITY PRESENTATION 1 www.jamalifehelpersglobal.com This Network Marketing company is new in South Africa, from Belgium. Joining Fee = R100, 00 Bonus exchange rate calculated at R13,00 per $1 2 PROFILE

617 views • 15 slides

More recommend