https://www.gdatasoftware.com/blog/microsoft-signed-a-malicious-netfilter-rootkit
115034373fc0ec8f75fb075b7a7011b603259ecc0aca271445e559b5404a140663D61549030FCF46FF1DC138122580B4364F0FE99E6B068BC6A3D6903656AFF0Gdatasoftware
Microsoft signed a malicious Netfilter rootkit
What started as a false positive alert for a Microsoft signed file turns out to be a WFP application layer enforcement callout driver that redirects traffic to a Chinese IP. How did this happen?
RME-DisCo @ UNIZAR [www.reversea.me]
I Solemnly Swear My Driver Is Up to No Good: Hunting for Attestation Signed Malware https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware
https://www.sentinelone.com/labs/driving-through-defenses-targeted-attacks-leverage-signed-malicious-microsoft-drivers
a804ebec7e341b4d98d9e94f6e4860a55ea1638d
6debce728bcff73d9d1d334df0c6b1c3735e295c
b2f955b3e6107f831ebe67997f8586d4fe9f3e98
a804ebec7e341b4d98d9e94f6e4860a55ea1638d
6debce728bcff73d9d1d334df0c6b1c3735e295c
b2f955b3e6107f831ebe67997f8586d4fe9f3e98
SentinelOne
Driving Through Defenses | Targeted Attacks Leverage Signed Malicious Microsoft Drivers
Threat actors are abusing legitimately signed Microsoft drivers in active intrusions into telecommunication, BPO, MSSP, and financial services businesses.
https://www.theregister.com/2022/03/05/nvidia_stolen_certificate/
ab59178235193927d7053f3dec936b356c0a0aa7a13f9e4878e1219633175d20
ab59178235193927d7053f3dec936b356c0a0aa7a13f9e4878e1219633175d20
The Register
Leaked stolen Nvidia key can sign Windows malware
70k staff email addresses and NTLM password hashes also dumped online
❤🔥1
Forwarded from Хакер Free
Хакер -Уроки форензики. Расследуем киберинцидент HawkEye
https://telegra.ph/Haker--Uroki-forenziki-Rassleduem-kiberincident-HawkEye-01-15
https://telegra.ph/Haker--Uroki-forenziki-Rassleduem-kiberincident-HawkEye-01-15
Telegraph
Хакер -Уроки форензики. Расследуем киберинцидент HawkEye
https://t.me/hacker_frei rayhunt454 Содержание статьи Инструментарий Анализ сетевого трафика Выводы Сегодня мы с тобой попрактикуемся в расследовании инцидентов и решим лабораторную работу HawkEye с ресурса CyberDefenders. Научимся разбирать…
❤🔥3
Forwarded from greg0r0 life&work
Please open Telegram to view this post
VIEW IN TELEGRAM
ThreadScheduling.pdf
207.7 KB
Windows Kernel Internals Thread Scheduling
Вариант, как сделать "гдбшные хуки" в windbg
Печатаем строку-название файла, которая передаётся в CreateFile
Печатаем строку-название файла, которая передаётся в CreateFile
bp kernel32!CreateFileW ".echotime; .echo====================; du rcx; g"
❤🔥1
Reverse Dungeon
Setup среды для ядерной отладки Дебаг десятки: install sdk: https://developer.microsoft.com/en-us/windows/downloads/windows-sdk на debuggee: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64 .\kdnet.exe 192.168.0.1 (host addr) Получаем такую строчку:…
myworkspace1.WEW
1.5 KB
мой workspace для windbg
❤1
CVE-2018-8611 Exploiting Windows KTM
https://research.nccgroup.com/2020/04/27/cve-2018-8611-exploiting-windows-ktm-part-1-5-introduction
https://research.nccgroup.com/2020/05/04/cve-2018-8611-exploiting-windows-ktm-part-2-5-patch-analysis-and-basic-triggering
https://research.nccgroup.com/2020/05/11/cve-2018-8611-exploiting-windows-ktm-part-3-5-triggering-the-race-condition-and-debugging-tricks
https://research.nccgroup.com/2020/05/18/cve-2018-8611-exploiting-windows-ktm-part-4-5-from-race-win-to-kernel-read-and-write-primitive
https://research.nccgroup.com/2020/05/25/cve-2018-8611-exploiting-windows-ktm-part-5-5-vulnerability-detection-and-a-better-read-write-primitive
https://research.nccgroup.com/2020/04/27/cve-2018-8611-exploiting-windows-ktm-part-1-5-introduction
https://research.nccgroup.com/2020/05/04/cve-2018-8611-exploiting-windows-ktm-part-2-5-patch-analysis-and-basic-triggering
https://research.nccgroup.com/2020/05/11/cve-2018-8611-exploiting-windows-ktm-part-3-5-triggering-the-race-condition-and-debugging-tricks
https://research.nccgroup.com/2020/05/18/cve-2018-8611-exploiting-windows-ktm-part-4-5-from-race-win-to-kernel-read-and-write-primitive
https://research.nccgroup.com/2020/05/25/cve-2018-8611-exploiting-windows-ktm-part-5-5-vulnerability-detection-and-a-better-read-write-primitive
NCC Group Research Blog
CVE-2018-8611 Exploiting Windows KTM Part 1/5 – Introduction
The first of five blog posts exploring the detailed exploitation of CVE-2018-8611.