Kernel Cactus

Combat in the kernel space -Its Pointy and it HURTS!
Spiky Sabra
Itamar Medyoni
Matan Haim Guez
At this point, you have clicked our link (thank you for that) and you have probably seen a tweet or two.
We believe it is about time that we tell you what it's all about.
In the past few months, we have decided to visit one of the industry's hottest topics from our own perspective: Bring Your Own Vulnerable Driver (A.K.A BYOVD).
Different from maliciously written drivers or rootkits, vulnerable drivers are legitimate drivers with discovered flaws that allow a user to perform actions in kernel memory from user-mode (mostly).
This slight difference causes the security industry issues with detections and remediations over a large set of malicious activities, more about why, later.
In the past year or two, we have been able to observe popular projects on GitHub and some blogs which visit this subject, most notably: CheekyBlinder & EDRSandBlast which both focus on removing Kernel Callbacks and “blinding” Endpoint protection services. Recently we have also learned about Cyber-Attacks carried out by the infamous Lazarus and BlackByte Groups which have also utilized these very techniques in order to modify kernel variables and disable security products.
As much as our respect for the authors of these repositories is truly endless, as they show true passion and understanding both in their code and detailed documentation, we believed that the well of oil those authors tapped into has a lot more to offer.
We took it upon ourselves to find, explain, share, and provide mitigation for a larger set of attacks, which will show the truly destructive potential of BYOVD, aside from removing kernel callbacks and “blinding” products.
Unlike the other repositories mentioned, we have taken the ability to read and write kernel memory to the next level, creating helper functions to “navigate” the kernel from the user mode
In this article and our GitHub repository, we would like to provide the industry with another good taste of what we like to call Kernel Cactus.
Our Project including code and article will provide you with the following:
  • A better understanding of why BYOVD is such an issue and why it hasn’t been resolved.
  • How Attackers take Advantage of BYOVD and use knowledge of different kernel structures to navigate the bits and bytes that make our windows OS what it is.
  • A set of freshly written set of POCs:
    1. 1.
      Handle Elevation (unlimited potential in the wrong hands).
    2. 2.
      Token Stealing (including domain tokens).
    3. 3.
      Thread Hijacking (in a new form) in combination with Handle Elevation.
    4. 4.
      Thread Injection in combination with Handle Elevation.
    5. 5.
      Destroying a Watchdog Service.
    6. 6.
      Process termination in combination with Handle Elevation.
    7. 7.
      File Deletion in combination with Handle Elevation.
    8. 8.
      PPL Toggling
    9. 9.
      ETW Bypass
  • A set of three different mitigations:
    1. 1.
      For EDR on the Kernel mode.
    2. 2.
      For EDR on the User mode.
    3. 3.
      For the organization (quick dirty and FREE).
    4. 4.
      Built-in features in Windows Provided by Microsoft.
Last modified 5mo ago