Mastodawn

hasherezade Jan 27, 2025

In case if you wonder what broke #ProcessHollowing on Windows 11 24H2, I have something for you: https://hshrzd.wordpress.com/2025/01/27/process-hollowing-on-windows-11-24h2/

Process Hollowing on Windows 11 24H2

Process Hollowing (a.k.a. RunPE) is probably the oldest, and the most popular process impersonation technique (it allows to run a malicious executable under the cover of a benign process). It is us…

hasherezade's 1001 nights

0xberserkr Feb 26, 2024

Abusing Windows Internals - I have just completed this room! Check it out: https://tryhackme.com/room/abusingwindowsinternals #tryhackme #Windows #Evasion #ProcessInjection #RedTeam #PortableExecutable #DLLInjection #PEInjection #ProcessHollowing #abusingwindowsinternals via @RealTryHackMe

TryHackMe | Cyber Security Training

TryHackMe is a free online platform for learning cyber security, using hands-on exercises and labs, all through your browser!

TryHackMe

acrypthash👨🏻‍💻Nov 22, 2022

I really enjoy reading white papers in the morning when I have time. I just finished up this brief one written earlier in the year about bypassing PPLs in Windows:

https://papers.vx-underground.org/papers/Malware%20Defense/AV%20Tech/Elastic%20Security%20-%20Sandboxing%20Antimalware%20Products.pdf

PROCESS_QUERY_LIMITED_INFORMATION is capable of successfully opening tokens and reading them, which can then allow visibility on what permissions are needed to access and hollow out a service. There is nothing new here it seems, but still very interesting IMO. Elastic Security's implementation of a fix seems to be good by denying TOKEN_WRITE with certain trust labels.

#blueteam #windows #exploit #token #malware #services #processhollowing #vxunderground