Combining Sealighter with unpatched exploits to run the Threat-Intelligence ETW Provider

Overview

Sealighter-TI

Combining Sealighter with unpatched exploits and PPLDump to run the Microsoft-Windows-Threat-Intelligence ETW Provider without a signed driver.

Overview

The Problem - PPL and Anti-Malware

The Microsoft-Windows-Threat-Intelligence ETW Provider is an excellent tool to detect process injection, and other type of attacks. Unlike usermode hooking or in-process ETW Providers, avoiding or tampering with the Threat-Intelligence is very difficult.

However, to subscribe to this Provider requires a process with very special privileges, marked as Protected Process Light (PPL) 'Anti-Malware' or higher. To legitimately run a program at this level you must submit a driver to Microsoft to be co-signed by them, something not everyone has the inclination or reputation to do.

I originally created a research project named PPLRunner that would allow you create PPL process in a test environment, however it requires Windows to be put into a debug or 'test signing' mode. This could in theory also have the effect of altering the behaviour of the malware or program you are attempting to analyse, which may behave differently if it believes it is not on a 'real' machine.

The Solution - Exploit to success

Back in 2018 Alex Ionescu and James Forshaw presented a series of talks, as well as some blogs, covering many ways you could trick Windows into illegitimately running arbitrary code at the PPL level. A number of these techniques remain unpatched to this day.

In 2021 Clément Labro created the project PPLDump, which uses one of the unpatched techniques Alex and James covered, to trick a PPL-elevated services.exe into loading an arbitrary DLL.

The Glue - SealighterTI

PPLDump uses its elevated access to dump the memory of lsass.exe. I've taken Clément's awesome code, and instead combined it with my ETW Logging tool Sealighter, to enable you to get events from the Microsoft-Windows-Threat-Intelligence logging to the Windows Event Log. This is possible from a 'production' machine, without the need for a signed driver or to put the machine into 'test signing' mode.

To Build

To use pre-built binaries, download the SealighterTI.exe and sealigher_provider.man from The Releases Page.

To build manually, first check out the source code (make sure to use --recursive):

git clone --recursive https://github.com/pathtofile/SealighterTI.git

Then build SealighterTI.sln

In most circumstances, only the 'Release' Build will actually inject successfully, so build and use that for 99% of cases

To Run

First Open up the sealigher_provider.man in a text editor, and replace all uses of !!SEALIGHTER_LOCATION!! with the full path to the SealighterTI.exe binary. Then from an elevated command prompt run:

wevtutil im path/to/sealigher_provider.man

Then just run SealighterTI.exe. For the first run, I recommend running with the debug flag:

SealighterTI.exe -d

For the first run I also recommend having a copy of Sysinternal's DBGView open with the "Capture Global Win32" option set, so you can see the debug logs from the DLL/PPL Process as well. If run correctly It should look like this: Pic of Code Running

Once it gets to "press ctrl+c to stop" Open Event Viewer, and you should see events under 'Application and Service Logs/Sealighter/Operational': Pic of Event Log

To stop the trace, press 'ctrl+c' in the SealighterTI.exe window.

Technical Details

See this blog for the technical details about how everything works.

The code has lots of 'PPLDump' files and functions?

Yep, I chose to fork PPLDump and alter only the parts I needed to in order to get the ETW Trace working. This is both to ensure people know the exploit parts of the code are courtesy of Clément Labro, but also to make it easy if PPLDump gets updated with any bug fixes I may want to also pull into Sealighter-TI.

Compatibility

This has only been tested on Windows 10 x64.

Acknowledgements

All of the work to run arbitrary code as PPL is the work of Clément Labro and their PPLDump project. I simply worked on glueing the ETW Logging to the end of it.

The Research from Alex Ionescu and James Forshaw is instrumental in making this project possible.

Filip Olszak has written a great blog about the usefulness of the Threat-Intelligence ETW Provider.

Further Reading/Links

Issues
  • Can't see or consume SealighterTI logs on event Viewer

    Can't see or consume SealighterTI logs on event Viewer

    Hi @pathtofile , I followed all the steps, but I failled see or access logs on event viewer as you can see on the pictures below.

    image

    image

    image

    Please. can you tell me why ? I even tried to rebuild the sealighterTI exe and I still facing the same probleme!!

    opened by HackBalak 3
  • Fix submodule for krabsetw

    Fix submodule for krabsetw

    Looks like the submodule Sealighter contains a submodule for krabsetw, but it is set to the git URI, causing permission issues. Perhaps use the http URI instead. Thank you

    opened by blaquee 1
A fake AMSI Provider which can be used for persistence.

A fake AMSI Provider which can be used for persistence.

netbiosX 87 Jun 24, 2022
Documenting and preserving the N64, combining official datasheets and homebrew research together

N64-documentation A repository where I try to document everything about the Nintendo 64 to the best of my ability. All the official and homebrew Ninte

Derek 6 Apr 21, 2022
CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)

Cobalt Strike BOF - Inject ETW Bypass Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate) Running InjectEtwBypass BOF from Cobalt

Bobby Cooke 221 Jun 14, 2022
TiEtwAgent - PoC memory injection detection agent based on ETW, for offensive and defensive research purposes

TiEtwAgent - ETW-based process injection detection This project was created to research, build and test different memory injection detection use cases

Filip Olszak 135 Jun 17, 2022
Threat Emulation and Red Teaming Framework, The Hacking Software for normal people.

The Remote Hacker Probe is a Threat Emulation and Red Teaming Framework built to be easy to use. The Remote Hacker Probe is Feature Rich! Including, K

QuantumCored 153 Jun 23, 2022
Bobby Cooke 266 Jun 20, 2022
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors".

COBALT STRIKE 4.4 Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as "adversary simulation software designed to exe

Trewis [work] Scotch 81 Jun 19, 2022
Remote hacker probe - Threat Emulation and Red Teaming Framework, The Hacking Software for normal people.

The Remote Hacker Probe is a Threat Emulation and Red Teaming Framework built to be easy to use. The Remote Hacker Probe is Feature Rich! Including, K

Fahad 153 Jun 23, 2022
Artificial Intelligence for Kinematics, Dynamics, and Optimization

AIKIDO - AI for KIDO ⚠️ Warning: AIKIDO is under heavy development. These instructions are primarily for reference by the developers. AIKIDO is a C++

Personal Robotics Laboratory 178 Jun 9, 2022
A collection of open source threat detection rules created by Cyber Castle's team.

Open Threat Detection Rules As a part of our role towards the cyber security community, we decided to publish some of our detection use cases to give

Cyber Castle 11 Jun 3, 2022
Not related to software bugs and exploits; this repo contains snippets of code that demonstrate some interesting functionality or a handy trick.

Proof-of-Concept Not related to software bugs and exploits; this repo contains snippets of code that demonstrate some interesting functionality or a h

Alisa Esage 31 May 29, 2022
Exploits the Wii U's bluetooth stack to gain IOSU kernel access via bluetooth.

BluuBomb Exploits the Wii U's bluetooth stack to gain IOSU kernel access via bluetooth. For a more detailed write-up see WRITEUP.md. Not to be confuse

null 92 Jun 24, 2022
A updated linora source with special exploits, always be updated to latest update

Fortnite-Bulletp-Internal A working vehicle Bullettp internal, will be always updated to latest fn update! my old github got termed LMAO If i see you

NotSimcraftLOL 28 Jun 11, 2022
This repo contains demo exploits for CVE-2022-0185. There are two versions here.

CVE-2022-0185 This repo contains demo exploits for CVE-2022-0185. There are two versions here. The non-kctf version (fuse version) specifically target

Crusaders of Rust CTF Team 325 Jun 21, 2022
A personal collection of Windows CVE I have turned in to exploit source, as well as a collection of payloads I've written to be used in conjunction with these exploits.

This repository contains a personal collection of Windows CVE I have turned in to exploit source, as well as a collection of payloads I've written to

null 76 Jun 22, 2022
An attempt to run fcitx5 on Android

fcitx5-android-poc An attempt to run fcitx5 on Android. Project status It can build, run, and print to stdout. Build Dependencies Android SDK Platform

null 135 Jun 20, 2022
Run-time program generator embedded in C++

Run-time program generator embedded in C++

Z Guan 24 Apr 29, 2022
anthemtotheego 323 Jun 18, 2022
Run Linux programs on DOS

A WSL alternative for users who prefer an MS-DOS environment. DOS Subsystem for Linux integrates a real Linux environment into MS-DOS systems, allowing users to make use of both DOS and Linux applications from the DOS command prompt.

Hailey Somerville 1.2k Jun 17, 2022