Note - The interesting stuff (loading the driver etc) needs to be done as admin. However the driver etc then allows you to do things that even having admin wouldnt be possible or easy.
@@ytg6663 @stephencole9289 actually this method is first and mostly used by game hackers for bypassing kernel level anticheats by loading their cheats or anticheat bypass mechanisms on kernel level, i didnt saw it being used or exploited by a threat actor in the post exploitation phase after "gaining initial access to victim systems", so yeah you can say that the whole point of this hack is just to get some ring 0 access on systems to do other shenanegans (though u can use it as a post expllitation tool to do some other shit as well)
Well, without digital signature if you try to run any executable defender will flag it. It worked because it is compiled on the same machine where it was executed. Else I don't see anyway around it.
what are you talking about? Defender wont flag any executable but it will just throw a security warning for the exe, and ask the user if he really wants to run it
Digital Signature blocks unsigned drivers and on windows 10 and 11 there is also driver blacklist which will stop from loading any vulnerable drivers that are known for being abused. However, if you load a signed driver that is not present in blacklist then you could use it to load another unsiged driver into kernel which then you can call by your client application. Defender & EDRs won't stop you unless you are trying to load something that has been already signatured.
Just to wrap my head around this; Drivers are run as system, no surprises here? the Intel vulnerable driver is used to load an unsigned driver, the unsigned driver injects code into windows defender, why? why do we inject code into defender? Does it provide any utility for us or something? I mean like we could inject anywhere? we could just run the shellcode from the driver?
But wouldn't you see the executed comands at 22:10 in an EDR under the msmpeng process tree? Or will comands executed on a kernel level not be visible on an EDR?
This video doesn't test against EDR only against AV. If you try to inject into EDR then this would still work and you would successully be injected into EDR process but it will also trigger an alert and create events because EDRs also use kernel drivers for monitoring and protection of its own user mode process. The proper approach would be removing EDRs callbacks before trying to inject the payload because in the kernel you are a lot more exposed then in user space in regards to visiblity.
Kinda pointless if you need admin priv to do it. Might as well use token impersonation technique if you have admin priv to escalate to system which is also less complicated
@@nero2k619 also, this is highly dependent on the developers to implement the anticheat properly, whether it's in house or third party, into their game. But the two games that I mentioned do require kdmapper, or another tool, to install and use a vulnerable driver and load your own driver.
@@nero2k619 Same. That's why I mentioned that they all have left themselves open, which is nice to think about, because cheaters in those games are extremely frustrating. Big problem with newer tech, though. There's been aim-bots that work off output from a capture card, for a few years, now. I've also heard, recently, that hardware memory access using an adapter and an external PC, is starting to become a method for skirting the anti-cheat. And then there's companies that don't read the manual, and integrate the anti-cheat into their game in a manner that just requires the user emulate the anti-cheat on the client side, and send a few packets every now and then. But the easiest way, by far, is to install a vulnerable driver, and, that is just a bad idea. I'm sure WinPEAS would pick it up, easily.
A « mind-blowing » technic that requires to be admin of the machine in the first place. Lol. That’s cool but just when you want to play at home. This is not how it goes in real life within big companies. Hackers are using way more efficient and straightforward procedures.
@@nezu_ccYou can actually disable the msft driver block list programmaticly, my program ksDumper 11 does this as a pre-req to leveraging KDU to load the ksDumper driver
@@zaki_flif you do make sure you use UFW (its not on by default in some distros), SELinux or Apparmor rules and Lynis for audits and you should be fine unless your motherboard UEFI has a critical CVE
@@somerandomwithacat750 Netcat gets boring lol... I can see the benefit of to use it as way to manage rshells. Seems to automatically upgrades to a 'smart' shell, thats nifty; extendability!! I realize you can do it straight on the terminal but why not? I need to play around with it some more.
One of my favorite topics so glad to see you do some deep dives on it love the content man
I just got an ad with John at the start and thought the video had already started lmao
Funny seeing an ad before this video with you in it 😂
Note - The interesting stuff (loading the driver etc) needs to be done as admin. However the driver etc then allows you to do things that even having admin wouldnt be possible or easy.
How would attacker get privilege escalation in first place??
@@ytg6663 There are different aproaches, most users are simply dumb and will click on "yes" if the system asks for it...
@@ytg6663 Cause windows already uses a lot of drivers and often these have vulnerabilites.
@@ytg6663 @stephencole9289
actually this method is first and mostly used by game hackers for bypassing kernel level anticheats by loading their cheats or anticheat bypass mechanisms on kernel level, i didnt saw it being used or exploited by a threat actor in the post exploitation phase after "gaining initial access to victim systems", so yeah you can say that the whole point of this hack is just to get some ring 0 access on systems to do other shenanegans (though u can use it as a post expllitation tool to do some other shit as well)
@@ytg6663 hmmm.. the user doing it
Anyone else get the synk ctf ad from the prevideo ads?
Well, without digital signature if you try to run any executable defender will flag it. It worked because it is compiled on the same machine where it was executed. Else I don't see anyway around it.
what are you talking about? Defender wont flag any executable but it will just throw a security warning for the exe, and ask the user if he really wants to run it
also i dont know if you know but other files exist besides executables
Digital Signature blocks unsigned drivers and on windows 10 and 11 there is also driver blacklist which will stop from loading any vulnerable drivers that are known for being abused. However, if you load a signed driver that is not present in blacklist then you could use it to load another unsiged driver into kernel which then you can call by your client application. Defender & EDRs won't stop you unless you are trying to load something that has been already signatured.
@@nero2k619 you can pay to have your drivers signed, or you can manually map your drivers with open source tools
@@nero2k619are you talking about using a signed driver to turn off windows DSE?
Nice video, John!
Just to wrap my head around this;
Drivers are run as system, no surprises here?
the Intel vulnerable driver is used to load an unsigned driver, the unsigned driver injects code into windows defender,
why? why do we inject code into defender? Does it provide any utility for us or something?
I mean like we could inject anywhere? we could just run the shellcode from the driver?
Great content John
Finally Was Waiting For This Video
This is scary. Great video !
Didn't expect to see good ol' UC in the video
Would have liked to see the network and security event logs when you ran commands after the system was vulnerable.
DIY...
What if it patched the Event viewer 🙂
But wouldn't you see the executed comands at 22:10 in an EDR under the msmpeng process tree? Or will comands executed on a kernel level not be visible on an EDR?
This video doesn't test against EDR only against AV. If you try to inject into EDR then this would still work and you would successully be injected into EDR process but it will also trigger an alert and create events because EDRs also use kernel drivers for monitoring and protection of its own user mode process. The proper approach would be removing EDRs callbacks before trying to inject the payload because in the kernel you are a lot more exposed then in user space in regards to visiblity.
Also, the driver is the only component here that runs in the kernel. The injected shellcode runs in user space and not it the kernel.
maldev is the best shit i have come across to learn malware development but their price is just a bit high
Thanx for sharing John...sweeeet shirt!!
So impressive, THX bro.
Unbelievable man, how long have you been hacking for?
Professor, if I don't understand this course where I do have to start?
Could you give me advice from basic step? I have empty brain in IT area.
Nice stuff but too expensive for a hobby!
Great job but be cool to have all your sources
Unbelievable tool I've never seen
Where do I get one of those shirts?
Havoc is a fork from Villain right? Just with some extra functions
Villain was written in python. Havoc is Go/C/C++. So I doubt it.
Nice shirt john hammond
Is there a way to make me stop hating windows hacking? Could you make a video about this issue? It seems loads of people are in this state of mind
Bruh that’s what I’m thinking every day. Feel it.
Mission complete > enjoyment until then
Hi, thanks for the great video. I have a question.
How the shellcode is decrypted and which component will decrypt it?
The encrypted shellcode basically decrypts itself during runtime
@@tanvorn9323 cool. Thanks
Okuneva Expressway
Oh now?! Why are you launching cmd?!
Hey John, 🎉
Great work 🎉🎉
and how possible if not installed my computer i mean the intel driver not located in my PC so what
Nice video!
now this is a cool content I always wanted to see
Does anyone know how to exit graphical mode in Linux Parrot 5.0?
He sooooo should have played with KDU, its mind blowing cause kdmapped is way old
Thanks you
is this binary exploitaion
I love synk ;-)
250$ for a few months access.................. this feels very seedy
Kinda pointless if you need admin priv to do it. Might as well use token impersonation technique if you have admin priv to escalate to system which is also less complicated
I bet all those cheaters on Warzone, or R6 Siege, all have a vulnerable driver installed on their system, to get around the anti-cheat. 🤔
Usually kernel anti-cheats require a driver so in order to bypass the anti-cheat you also need a driver to abuse it.
@@nero2k619 that is literally what this is...
@@nero2k619 also, this is highly dependent on the developers to implement the anticheat properly, whether it's in house or third party, into their game.
But the two games that I mentioned do require kdmapper, or another tool, to install and use a vulnerable driver and load your own driver.
@nordgaren2358 I think you misunderstood me. I know how this all works and how cheat devs bypass anti cheats.
@@nero2k619 Same. That's why I mentioned that they all have left themselves open, which is nice to think about, because cheaters in those games are extremely frustrating.
Big problem with newer tech, though. There's been aim-bots that work off output from a capture card, for a few years, now. I've also heard, recently, that hardware memory access using an adapter and an external PC, is starting to become a method for skirting the anti-cheat.
And then there's companies that don't read the manual, and integrate the anti-cheat into their game in a manner that just requires the user emulate the anti-cheat on the client side, and send a few packets every now and then.
But the easiest way, by far, is to install a vulnerable driver, and, that is just a bad idea. I'm sure WinPEAS would pick it up, easily.
u m8 are mind blowing :)
A « mind-blowing » technic that requires to be admin of the machine in the first place. Lol. That’s cool but just when you want to play at home. This is not how it goes in real life within big companies. Hackers are using way more efficient and straightforward procedures.
Revoked driver certificates is a thing. Microsoft is working to defend its users.
Shill
lol
@@nezu_ccYou can actually disable the msft driver block list programmaticly, my program ksDumper 11 does this as a pre-req to leveraging KDU to load the ksDumper driver
comments like this make me want to switch to linux
@@zaki_flif you do make sure you use UFW (its not on by default in some distros), SELinux or Apparmor rules and Lynis for audits and you should be fine unless your motherboard UEFI has a critical CVE
Tell us about MBR Bootkits😅
LoL
If you have Cloud Delivered Protection off 90% chance your malware wont get flagged lol.
I like kernel ;-) salam dari indonesia anonym
😄
love you
I am unreasonably angry that they called it "demon" and not "daemon"
hey, that's where script kiddies are made
You were already admin when running that shellcode, there’s a million ways to to do shit like become a system or execute c2 payload
So I just learned about Havoc LMAO.... SOOOOOO since Havoc doesn't seem to have any "auto-pwn" features, is it OSCP-friendly?
You don't need a c2 for anything on the oscp.
@@somerandomwithacat750 Netcat gets boring lol... I can see the benefit of to use it as way to manage rshells. Seems to automatically upgrades to a 'smart' shell, thats nifty; extendability!! I realize you can do it straight on the terminal but why not? I need to play around with it some more.
This topic is way over hambone's skillset.
😂😂😂
you speak so fast that I have to slow down the video to 0.75
John, how much coffee or caffeine did you have before you made this video. You talk so fast. Slow down bro.
Bro....quit sharing our community with skids.