I took the driver for a test drive against $vendor2 and concluded that attacking an EDR/AV product from kernel land alone is not sufficient and user land detection techniques should be taken into consideration as well. Once I had the basics sorted and got comfortable working with the kernel and a kernel debugger, I started developing my own driver called Interceptor, which has kernel callback patching and IRP MajorFunction hooking capabilities. Then I took a step back and did a deepdive in the inner structure and workings of a kernel driver, how it communicates with other drivers and applications and how I can intercept these communications using IRP MajorFunction hooks. ![]() I confirmed these concepts by leveraging existing work against $vendor1 and successfully executing Mimikatz on the compromised system. ![]() I started off strong by examining kernel callbacks and why EDR/AV products use them extensively to gain vision into what’s happening on the system. ![]() ![]() In the course of these 6 weeks, I’ve covered several aspects of kernel drivers and EDR/AVs kernel mechanisms. With the release of this blogpost, we’re past the halfway point of my internship time flies when you’re having fun.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |