In case you ever wanted another excuse to reboot your Windows machine…⌗
This is a pretty weird story, if for no other reason than the mechanism for the corruption being reported/occuring is not understood as of the time of writing the article.
Essentially, you can enter a command
cd c:\:$i30:$bitmap and Windows will immediately begin to prompt the user to restart the machine so that an offline
chkdsk can be executed to repair filesystem damage. Of course, as you can see from the command itself, all that is being done is changing the current working directory.
Apparently all that is required is user-mode access to the NTFS attribute at all, so a shortcut file, HTML document which attempts to load a resource from the attribute, etc, will trigger it.
While the article calls it ‘serious’ several times, I’m a bit skeptical on that front. However, it does seem like a great way to force a reboot that, while scary-looking, doesn’t seem to have any lasting/meaningful impact.
Only when you have scraped the bottom of the barrel of witty Infosec technique names do you find ‘herpaderping’⌗
“Process Herpaderping” is a recent technique first surfaced by @jxy__s that confuses certain security products by modifying a payload file on disk after instantiation but before the thread of execution has begun. The mismatch between what is running in memory and what is represented on disk can ‘short’ the business logic of an AV program, in some cases causing it to call a malicious payload benign because the on-disk version has been ‘cleaned’ of bad signatures.
As far as I know, several EDRs already have detections in place for this technique, but the point of the article is that Defender does not yet seem to do so. The article describes how to use Sysmon as well as PSGumshoe to look for the Events that will be generated when this technique is executed.
An oldie but a goodie⌗
This article is a great step-by-step weaponization of a known issue. It is often a goal in the “low-privilege” portion of the engagement to get some NTLM hashes or credentials, so that meaningful lateral movement can begin. There are several programs that use network traffic to try and capture hashes, but most of them have restrictions that can make them useless if you don’t have administrative rights yet.
Getting around it isn’t impossible though. The ‘Internal Monologue’ attack popularized by Elad Shamir is one way of getting the hash you need without even communicating with the network at all (hence the name) or without any extra privileges. The linked article though describes the interaction between internet/intranet zones, HTTP authentication methods and using sent emails to cause hashes to be captured. All of these individual pieces are well known, but NCC Group (as usual) does a great job of weaving the attack together and showing why it works, each step of the way. Highly recommended.