Using Mimikatz driver to unhook antivirus on Windows Supervisor: - - PowerPoint PPT Presentation

using mimikatz driver to unhook antivirus on windows
SMART_READER_LITE
LIVE PREVIEW

Using Mimikatz driver to unhook antivirus on Windows Supervisor: - - PowerPoint PPT Presentation

Sep 19, 2023 141 likes •361 views

Using Mimikatz driver to unhook antivirus on Windows Supervisor: Cedric van Bockhaven Bram Blaauwendraad & Thomas Ouddeken Mimikatz Post exploitation tool created by Benjamin Delpy Administrative privileges required Used to extract

slide-1
SLIDE 1

Using Mimikatz’ driver to unhook antivirus on Windows

Supervisor: Cedric van Bockhaven Bram Blaauwendraad & Thomas Ouddeken

slide-2
SLIDE 2

Post exploitation tool created by Benjamin Delpy Administrative privileges required Used to extract authentication information, such as: ○ Passwords ○ Hashes ○ Smartcard PIN codes ○ Kerberos (ticket granting) tickets

2

Mimikatz

Introduction Research Question Related work Methodology Unloading Unhooking Conclusions

slide-3
SLIDE 3

○ A signed driver in the Mimikatz toolkit ○ Can be used to read/write to kernel space memory using Input/Output Control Messages (IOCTL) ○ Extrapolate to other vulnerable drivers

3

Mimidrv

Introduction Research Question Related work Methodology Unloading Unhooking Conclusions

slide-4
SLIDE 4

Antivirus

Mini-filters ○ Monitors/tracks file system data Callback ○ LoadImage ○ CreateThread ○ CreateProcess ○ CreateFile

4

Introduction Research Question Related work Methodology Unloading Unhooking Conclusions

slide-5
SLIDE 5

5

Implications

○ Signed drivers with similar vulnerabilities ○ VirtualBox driver ○ Have legitimate uses

Introduction Research Question Related work Methodology Unloading Unhooking Conclusions

slide-6
SLIDE 6

Can the signed Mimidrv driver be exploited to render antivirus useless by unhooking callbacks in Windows?

○ How can Mimidrv be used to arbitrarily read/write in kernel space in Windows? ○ How can arbitrary read/write capability in kernel space be used to unhook antivirus callbacks in Windows?

6

Research Question

Introduction Research Question Related work Methodology Unloading Unhooking Conclusions

slide-7
SLIDE 7

○ An in-depth article on Mimikatz’ inner workings by Matt Hand ○ Unsupported claims that unloading AV-driver is possible on multiple blogs ○ Book on inner workings of antiviruses by J. Koret and E. Bachaalany

7

Related work

Introduction Research Question Related work Methodology Unloading Unhooking Conclusions

slide-8
SLIDE 8

○ A host (debugger) and target (debuggee) ○ Windows 10 1912 and 1809 respectively ○ Virtual Machines (VMWare) ○ WinDbg over serial port ○ Focus on Windows Defender

8

Methodology

Introduction Research Question Related work Methodology Unloading Unhooking Conclusions

slide-9
SLIDE 9

Conspicuous way of disabling antivirus ○ Closing the process ○ However…. ○ Windows defender is a protected process

9

Unloading

Introduction Research Question Related work Methodology Unloading Unhooking Conclusions

slide-10
SLIDE 10

Doubly linked list containing process information ○ PrimaryTokenFrozen ○ SignatureProtect ○ Protection

10

Unloading: !process

Introduction Research Question Related work Methodology Unloading Unhooking Conclusions

slide-11
SLIDE 11

11

Unloading

Introduction Research Question Related work Methodology Unloading Unhooking Conclusions

slide-12
SLIDE 12

12

Unloading: succes

Introduction Research Question Related work Methodology Unloading Unhooking Conclusions

slide-13
SLIDE 13

Less conspicuous Challenges: ○ Windows Kernel Patch Protection (KPP / Patchguard) ○ Avoiding other detection methods ○ Avoiding blue screen

13

Unhooking callbacks

Introduction Research Question Related work Methodology Unloading Unhooking Conclusions

slide-14
SLIDE 14

Render callbacks useless ○ For each callback, locate their address with Mimidrv ○ Verify that callback addresses lie within the AV-driver using WinDbg ○ Overwrite callback locations with opcode 0xC3 (RET) ○ Callbacks should now always return OK

14

Unhooking callbacks

Introduction Research Question Related work Methodology Unloading Unhooking Conclusions

slide-15
SLIDE 15

15

Unhooking callbacks example

Introduction Research Question Related work Methodology Unloading Unhooking Conclusions

slide-16
SLIDE 16

16

Unhooking callbacks example

Introduction Research Question Related work Methodology Unloading Unhooking Conclusions

slide-17
SLIDE 17

17

Unhooking callbacks example

Introduction Research Question Related work Methodology Unloading Unhooking Conclusions

slide-18
SLIDE 18

Testing is diffjcult ○ AV do not only use mini-filters and callbacks ○ Check the hash of a program before it is executed ○ Heuristics and comparing code snippets

18

Unhooking callbacks testing

Introduction Research Question Related work Methodology Unloading Unhooking Conclusions

slide-19
SLIDE 19

Render callbacks useless ○ IOCTL for reading/writing kernel memory already present ○ Mimidrv signed ○ Use this IOCTL to do the same as with WinDbg

19

Unhooking callbacks through driver

Introduction Research Question Related work Methodology Unloading Unhooking Conclusions

slide-20
SLIDE 20

Still some work to do, such as: ○ Test our theories reliably ○ Perform the same methods using other drivers ○ Future work ○ Proof exploit in real world ○ Exploit enterprise-grade AV

20

Conclusions

Introduction Research Question Related work Methodology Unloading Unhooking Conclusions