site: blogs.technet.microsoft.com
Local privilege escalation via the Windows I/O Manager: a variant finding collaboration
https://blogs.technet.microsoft.com/srd/2019/03/14/local-privilege-escalation-via-the-windows-i-o-manager-a-variant-finding-collaboration/ [blogs.technet.microsoft.com]
2019-03-19 00:59
tags:
defense
programming
security
systems
windows
In Windows, when a system call is made from a user mode thread, the system call handler records this in the thread object by setting its PreviousMode field to UserMode. If instead the system call is made from kernel mode using a Zw-prefixed function, or from a system thread, the PreviousMode of the thread will be set to KernelMode. This method of distinguishing between user mode and kernel mode callers is used to help determine if the arguments of the call are from a trusted or untrusted source, and therefore to what extent they need to be validated by the kernel.
In his research, James found that there were various kernel mode drivers shipped with Windows that, when handling IRP_MJ_CREATE requests, check the IRP’s RequestorMode, but do not check for SL_FORCE_ACCESS_CHECK. Furthermore, these are potentially exploitable via kernel mode code that, on the face of it, appears to be doing the correct thing in setting IO_FORCE_ACCESS_CHECK when creating or opening a file. An attacker obtaining sufficient control of the arguments of a file create/open call, via some request originating from user mode, could use this to send an IRP_MJ_CREATE request where the RequestorMode is KernelMode. If the RequestorMode check is used in a security decision, this may lead to a local privilege escalation vulnerability.
Also: https://googleprojectzero.blogspot.com/2019/03/windows-kernel-logic-bug-class-access.html
Mitigating speculative execution side channel hardware vulnerabilities
https://blogs.technet.microsoft.com/srd/2018/03/15/mitigating-speculative-execution-side-channel-hardware-vulnerabilities/ [blogs.technet.microsoft.com]
2018-04-05 18:29
tags:
cpu
development
security
sidechannel
Speculative execution side channels, on the other hand, represented a fundamentally new hardware vulnerability class with no established process for determining their severity and their impact on existing software security models. To create this process, we and others in the industry needed to thoroughly research speculative execution side channels and establish a taxonomy and framework for reasoning about their effects and possible mitigations.
KVA Shadow: Mitigating Meltdown on Windows
https://blogs.technet.microsoft.com/srd/2018/03/23/kva-shadow-mitigating-meltdown-on-windows/ [blogs.technet.microsoft.com]
2018-03-25 16:00
tags:
cpu
defense
malloc
programming
security
systems
windows
This post dives into the technical details of Kernel Virtual Address (KVA) Shadow which is the Windows kernel mitigation for one specific speculative execution side channel: the rogue data cache load vulnerability (CVE-2017-5754, also known as “Meltdown” or “Variant 3”).
Very thorough.
source: L
Detonating a bad rabbit: Windows Defender Antivirus and layered machine learning defenses
https://blogs.technet.microsoft.com/mmpc/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses/ [blogs.technet.microsoft.com]
2017-12-11 23:05
tags:
ai
cloud
defense
malware
security
windows
We use a variety of machine learning models that use different algorithms to predict whether a file is malware. Some of these algorithms are binary classifiers that give a strict clean-or-malware verdict (0 or 1), while others are multi-class classifiers that provide a probability for each classification (malware, clean, potentially unwanted application, etc). Each machine learning model is trained against a set of different features (often thousands, sometimes hundreds of thousands) to learn to distinguish between different kinds of programs.
Clarifying the behavior of mandatory ASLR
https://blogs.technet.microsoft.com/srd/2017/11/21/clarifying-the-behavior-of-mandatory-aslr/ [blogs.technet.microsoft.com]
2017-11-24 22:32
tags:
defense
random
security
systems
windows
In this blog post, we will explain the configuration issue that CERT/CC encountered and describe work arounds to enable the desired behavior. In short, ASLR is working as intended and the configuration issue described by CERT/CC only affects applications where the EXE does not already opt-in to ASLR. The configuration issue is not a vulnerability, does not create additional risk, and does not weaken the existing security posture of applications.
Seems just a tad complicated.
Chasing Adversaries with Autoruns – evading techniques and countermeasures
https://blogs.technet.microsoft.com/motiba/2017/11/04/chasing-adversaries-with-autoruns-evading-techniques-and-countermeasures/ [blogs.technet.microsoft.com]
2017-11-08 04:01
tags:
admin
malware
security
swtools
windows
Sysinternals Autoruns is a great utility for defenders to discover and disable malware and adversaries’ persistence points. There are similar programs, but as the author of Autoruns says: “(Autoruns) has the most comprehensive knowledge of auto-starting locations ”, therefore the focus here is on Autoruns.
In the last weeks couple of security researches (Kyle - @KyleHanslovan, Chris - @ChrisBisnett HASHEREZADE @hasherezade) have discovered that it’s possible to evade from autoruns when using it with a default configuration. Always remember that determined attackers will work actively on hiding their activities within your network.
source: grugq
Making Microsoft Edge the most secure browser with Windows Defender Application Guard
https://blogs.technet.microsoft.com/mmpc/2017/10/23/making-microsoft-edge-the-most-secure-browser-with-windows-defender-application-guard/ [blogs.technet.microsoft.com]
2017-10-24 15:34
tags:
browser
defense
malware
security
update
virtualization
windows
Browser security beyond sandboxing
https://blogs.technet.microsoft.com/mmpc/2017/10/18/browser-security-beyond-sandboxing/ [blogs.technet.microsoft.com]
2017-10-19 16:19
tags:
browser
cpu
exploit
javascript
jit
security
For this project, we set out to examine Google’s Chrome web browser, whose security strategy shows a strong focus on sandboxing. We wanted to see how Chrome held up against a single RCE vulnerability, and try to answer: is having a strong sandboxing model sufficient to make a browser secure?
Exploiting V8 and the consequences.
The Inside Story Behind MS08-067
https://blogs.technet.microsoft.com/johnla/2015/09/26/the-inside-story-behind-ms08-067/ [blogs.technet.microsoft.com]
2017-10-07 03:05
tags:
development
exploit
investigation
networking
security
windows
By September 2008 we had built a system that screened millions of crashes for security exploits. Along the way I felt like I joined the world’s smallest profession—that of an exploit failure engineer.
We explained the basic facts. We had a vulnerabilty, that could be exploited remotely, anonymously, that affected all versions of Windows. It was wormable and someone was already exploiting it. When you say the word ‘wormable’ to a crisis manager, it activates some latent response DNA.
The Conficker vulnerability.
Eternal Synergy Exploit Analysis
https://blogs.technet.microsoft.com/srd/2017/07/13/eternal-synergy-exploit-analysis/ [blogs.technet.microsoft.com]
2017-07-15 18:22
tags:
exploit
networking
security
windows
This post has four main parts. We will deep-dive into the vulnerability, followed by a discussion of how the vulnerability was weaponized to create Read/Write/eXecute primitives that are used as building blocks throughout the exploit. We will then next walk through the execution of EternalSynergy and see how these primitives were used to deliver a full exploit. Finally, we will briefly discuss the effect of recent mitigations on the presented exploit techniques.
source: grugq
Detecting and mitigating elevation-of-privilege exploit for CVE-2017-0005
https://blogs.technet.microsoft.com/mmpc/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/ [blogs.technet.microsoft.com]
2017-03-28 20:01
tags:
defense
exploit
programming
security
systems
windows
In this article, we walk through the technical details of the exploit and assess the performance of tactical mitigations in Windows 10 Anniversary Update—released in August, 2016—as well as strategic mitigations like Supervisor Mode Execution Prevention (SMEP) and virtualization-based security (VBS).
In the wild exploit carefully avoided Win 10 in favor of 7 and 8.
Hardening Windows 10 with zero-day exploit mitigations
https://blogs.technet.microsoft.com/mmpc/2017/01/13/hardening-windows-10-with-zero-day-exploit-mitigations/ [blogs.technet.microsoft.com]
2017-01-16 04:25
tags:
cpu
defense
programming
security
systems
windows
In this blog, we look at two recent kernel-level zero-day exploits used by multiple activity groups. These kernel-level exploits, based on CVE-2016-7255 and CVE-2016-7256 vulnerabilities, both result in elevation of privileges. Microsoft has promptly fixed the mentioned vulnerabilities in November 2016. However, we are testing the exploits against mitigation techniques delivered in August 2016 with Windows 10 Anniversary Update, hoping to see how these techniques might fare against future zero-day exploits with similar characteristics.
Moving Beyond EMET
https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/ [blogs.technet.microsoft.com]
2016-11-03 20:23
tags:
defense
security
systems
windows