![]() ![]() A classic, naïve, argument often heard is that an attacker with elevated privileges can do anything so why should we model capabilities in that scenario? This is a weak stance. Gaining a more thorough understanding of Kernel post-exploitation tradecraft is critical for defense. The available public research on these techniques is sparse. This paper lays out a number of Direct Kernel Object Manipulation (DKOM) primitives that the payload uses to blind OS / AV / EDR telemetry. In some instances, these techniques have been quite primitive, limited to simple tasks, but there have also been more capable demonstrations.Īt the end of September 2022, researches from ESET released a white-paper about such a Kernel capability used by the Lazarus TA in a number of attacks against entities in Belgium and the Netherlands for the purpose of data exfiltration. ![]() In recent years, however, we have seen more commodity attackers use Bring Your Own Vulnerable Driver (BYOVD) exploitation primitives to facilitate actions on endpoint. Traditionally these types of capabilities have mostly been limited to advanced TAs. Some older examples include the Derusbi Family and the Lamberts Toolkit. In the intervening years there have been a number of reported cases where Threat Actors (TAs) have used Kernel rootkits for post-exploitation. The first published demonstration of such a capability was in 1999 in Phrack Magazine. In some cases, the use of a specific TTP is made completely obsolete in the span of three to four months (usually tied to specific technology stacks).Īttackers may choose to leverage code execution in the Windows Kernel to tamper with some of these protections or to avoid a number of user-land sensors entirely. The combination of complex fine-tuned security solutions and well-trained Security Operations Center (SOC) teams can be very taxing on tradecraft. Our team is tasked with simulating advanced threat capabilities in some of the largest and most hardened environments. On the Adversary Simulation team at IBM Security X-Force, we face this same issue. Attackers face a constant cost to develop and iterate on tactics, techniques, and procedures (TTPs) to avoid detection heuristics. When these capabilities are combined with well-configured Endpoint Detection & Response (EDR) solutions, they can represent a non-trivial barrier to post-exploitation. Over time, security mitigations and detection telemetry on Windows have improved substantially. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used to blind ETW sensors and tie that back to malware samples identified in-the-wild last year. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities.
0 Comments
Leave a Reply. |