Just pushed a very smol utility to drop’n’load drivers using NtLoadDriver instead of the noisy service creation loading.
Can be used to load vulnerable signed drivers to execute arbitrary code in kernel.
Tool + Writeup: github.com/slaeryan/AQUARMOU…
Part 2 - exploitation coming soon...
10th Chapter (Kernel Debugging) of Practical Malware Analysis (No Starch Press) complete. Just about hit the half way mark of this write-up.
Write-ups take significantly longer than just reading content, but if it helps someone learn, then it's worth it.
jaiminton.com/Tutorials/Prac…
To celebrate 🎃, here’s a spooky delight - Wraith 👻 - A stealthy native loader PIC blob utilizing IE COM object, direct syscalls, ACG/CIG, PPID Spoofing ‘an lots of other OPSEC goodies
Blog + Tool: github.com/slaeryan/AQUARMOU…
A special thank you to @spotheplanet & @SBousseaden
We are excited to announce higher Azure bounties and a new space for Azure research! The Azure Security Lab is a set of dedicated hosts that researchers can use to probe IaaS security without affecting customers. To find out more, see our blog. msrc-blog.microsoft.com/2019…
Working on a side project I had to use the SystemProcessAndThreadsInformation class in NtQuerySystemInformation. I wrote a small wrapper which may help as a code reference if you want to do something similar => github.com/FuzzySecurity/Sha…
If your org is starting a threat hunting program and you want to start somewhere simple, I've built a table with some common use cases and linked them to @MITREattack framework and added some @HybridAnalysis samples. Hope this helps.
github.com/dwestgard/threat_…