dmcxblue / sharpblackout Goto Github PK
View Code? Open in Web Editor NEWTerminate AV/EDR leveraging BYOVD attack
Terminate AV/EDR leveraging BYOVD attack
have you try with Sentinel or CrowdStrike ?
Hello, thanks for your tool and your research,
I'm currently unable to perform the explained technique in my own lab.
Machine : Updated Windows 10
User : Administrator
Beacon : Administrator level
Antivirus : Disabled for the test
From the command line perspective
c:\Users\admin\Desktop>SharpBlackOut.exe -p 2416
Loading Blackout.sys driver...
Unhandled Exception: System.InvalidOperationException: Service SharpBlackout was not found on computer '.'. ---> System.ComponentModel.Win32Exception: The specified service does not exist as an installed service
--- End of inner exception stack trace ---
at System.ServiceProcess.ServiceController.GenerateNames()
at System.ServiceProcess.ServiceController.get_ServiceName()
at System.ServiceProcess.ServiceController.GenerateStatus()
at System.ServiceProcess.ServiceController.get_Status()
at Program.LoadDriver(String driverPath)
at Program.Main(String[] args)
From Cobalt Strike Beacon perspective
[10/19 08:30:54] beacon> execute-assembly /mnt/private/Def-Evasion/SharpBlackout/SharpBlackOut/bin/Release/SharpBlackOut.exe -p 2416
[10/19 08:30:54] [*] Tasked beacon to run .NET program: SharpBlackOut.exe -p 2416
[10/19 08:31:10] [+] host called home, sent: 116938 bytes
[10/19 08:31:11] [+] received output:
Loading Blackout.sys driver...
[-] Invoke_3 on EntryPoint failed.
[10/19 08:52:25] beacon> getprivs
[10/19 08:52:25] [*] Tasked beacon to enable privileges
[10/19 08:52:34] [+] host called home, sent: 755 bytes
[10/19 08:52:34] [+] received output:
SeDebugPrivilege
SeIncreaseQuotaPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeCreatePagefilePrivilege
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeChangeNotifyPrivilege
SeRemoteShutdownPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
[10/19 08:52:40] beacon> shell whoami /priv
[10/19 08:52:40] [*] Tasked beacon to run: whoami /priv
[10/19 08:53:04] [+] host called home, sent: 43 bytes
[10/19 08:53:04] [+] received output:
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links Disabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Disabled
Any insight would be helpful.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.