dmcxblue / sharpblackout Goto Github PK
View Code? Open in Web Editor NEWTerminate AV/EDR leveraging BYOVD attack
sharpblackout's People
Contributors
Stargazers
Watchers
Forkers
freeide mohinparamasivam askyeye h1d3r jec00 gmh5225 ttsite tigr0w apkc gavz seahop ongyuann noorahsmith 5l1v3r1 brucebatman testitok jermainlaforce fengjixuchuisharpblackout's Issues
AV/EDR
have you try with Sentinel or CrowdStrike ?
Unable to reproduce the technique in own lab
Hello, thanks for your tool and your research,
I'm currently unable to perform the explained technique in my own lab.
Machine : Updated Windows 10
User : Administrator
Beacon : Administrator level
Antivirus : Disabled for the test
From the command line perspective
c:\Users\admin\Desktop>SharpBlackOut.exe -p 2416
Loading Blackout.sys driver...
Unhandled Exception: System.InvalidOperationException: Service SharpBlackout was not found on computer '.'. ---> System.ComponentModel.Win32Exception: The specified service does not exist as an installed service
--- End of inner exception stack trace ---
at System.ServiceProcess.ServiceController.GenerateNames()
at System.ServiceProcess.ServiceController.get_ServiceName()
at System.ServiceProcess.ServiceController.GenerateStatus()
at System.ServiceProcess.ServiceController.get_Status()
at Program.LoadDriver(String driverPath)
at Program.Main(String[] args)
From Cobalt Strike Beacon perspective
[10/19 08:30:54] beacon> execute-assembly /mnt/private/Def-Evasion/SharpBlackout/SharpBlackOut/bin/Release/SharpBlackOut.exe -p 2416
[10/19 08:30:54] [*] Tasked beacon to run .NET program: SharpBlackOut.exe -p 2416
[10/19 08:31:10] [+] host called home, sent: 116938 bytes
[10/19 08:31:11] [+] received output:
Loading Blackout.sys driver...
[-] Invoke_3 on EntryPoint failed.
[10/19 08:52:25] beacon> getprivs
[10/19 08:52:25] [*] Tasked beacon to enable privileges
[10/19 08:52:34] [+] host called home, sent: 755 bytes
[10/19 08:52:34] [+] received output:
SeDebugPrivilege
SeIncreaseQuotaPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeCreatePagefilePrivilege
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeChangeNotifyPrivilege
SeRemoteShutdownPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
[10/19 08:52:40] beacon> shell whoami /priv
[10/19 08:52:40] [*] Tasked beacon to run: whoami /priv
[10/19 08:53:04] [+] host called home, sent: 43 bytes
[10/19 08:53:04] [+] received output:
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links Disabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Disabled
Any insight would be helpful.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.