NoFilter Attack: Sneaky Privilege Escalation Method Bypasses Windows Security

A previously undetected attack method called NoFilter has been found to abuse the Windows Filtering Platform WFP to achieve privilege escalation in the Windows operating system. "If an attacker has the ability to execute code with admin privilege and the target is to perform LSASS Shtinkering,...

North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign

This blog was authored by Ankur Saini and Hossein Jazi Lazarus Group is one of the most sophisticated North Korean APTs that has been active since 2009. The group is responsible for many high profile attacks in the past and has gained worldwide attention. The Malwarebytes Threat Intelligence team...

Microsoft Windows - nt!NtQueryInformationProcess (ProcessImageFileName) Kernel 64-bit PoolStack Memory Disclosure

Microsoft Windows - nt!NtQueryInformationProcess ProcessImageFileName Kernel 64-bit PoolStack Memory Disclosure / We have discovered that the nt!NtQueryInformationProcess system call invoked with the ProcessImageFileName 0x1B information class discloses uninitialized kernel memory to user-mode...

Microsoft Windows - nt!NtQueryInformationProcess (information class 76_ QueryProcessEnergyValues) Kernel Stack Memory Disclosure

Microsoft Windows - nt!NtQueryInformationProcess information class 76 QueryProcessEnergyValues Kernel Stack Memory Disclosure / We have discovered that the nt!NtQueryInformationProcess system call invoked with the 76 information class discloses portions of uninitialized kernel stack memory to...

Microsoft Windows - nt!NtQueryInformationProcess (information class 76, QueryProcessEnergyValues) Ke

Exploit for windows platform in category dos / poc / We have discovered that the nt!NtQueryInformationProcess system call invoked with the 76 information class discloses portions of uninitialized kernel stack memory to user-mode clients. The specific information class is handled by an internal...

Makin - Reveal Anti-Debugging Tricks

makin is to make initial malware assessment little bit easier, It helps to reveal a debugger detection techniques used by a sample. Supports x64 and x86 How does it work? makin opens a sample as a debuggee and injects asho.dll, asho.dll hooks several functions at ntdll.dll library and after...

Windows Kernel stack memory disclosure in nt!NtQueryInformationProcess(CVE-2017-8476)

We have discovered that the nt!NtQueryInformationProcess system call called with the ProcessVmCounters information class discloses portions of uninitialized kernel stack memory to user-mode clients, due to output structure alignment holes. On our test Windows 10 32-bit workstation, an example...

Microsoft Windows - 'nt!NtQueryInformationProcess (ProcessVmCounters)' Kernel Stack Memory Disclosure

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1190&desc=2 We have discovered that the nt!NtQueryInformationProcess system call called with the ProcessVmCounters information class discloses portions of uninitialized kernel stack memory to user-mode clients, due to output...