-
Notifications
You must be signed in to change notification settings - Fork 348
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Detailed usage guide #23
Comments
CrowdStrike moved from user mode hooking to kernel callback which means
that they gather their information from the kernel instead of the user mode
like they used to. user mode unhooking is not working against CS anymore.
…On Wed, Jan 18, 2023 at 3:33 AM ll3N1GmAll ***@***.***> wrote:
Thank you for putting this together! I have been trying to get this to
work; but am not having success. I'm using crowdstrike in my test
environment and have compiled the cs unhooking C code into an EXE. Running
it does not appear to unhook cs and allow post ex activities (like
mimikatz) after the unhooking code is executed. Am I missing something? Is
there a detailed usage guide for how to make use of this? Thanks to any who
are able to provide some pointers!
—
Reply to this email directly, view it on GitHub
<#23>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABAK3LR4UA36GXCT2C3L7JLWS6TGRANCNFSM6AAAAAAT6ZG3F4>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
--
*Mr.Un1k0d3r** or 1 #*
|
Thanks for clarifying. Was I doing everything correctly though? Are there any methods of unhooking or bypassing CS in its current configuration? |
yes there are some ways if you use Cobalt Strike I recommend a custom Sleep
Mask and using BOF only (no process injection). You can also inject into
remote process using different techniques such as:
https://github.com/connormcgarr/cThreadHijack
Hopefully this helps a bit.
…On Wed, Jan 18, 2023 at 2:26 PM ll3N1GmAll ***@***.***> wrote:
Thanks for clarifying. Was I doing everything correctly though? Are there
any methods of unhooking or bypassing CS in its current configuration?
—
Reply to this email directly, view it on GitHub
<#23 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABAK3LXAOPK7CCRYDQIEZNDWTA7UTANCNFSM6AAAAAAT6ZG3F4>
.
You are receiving this because you commented.Message ID:
***@***.***>
--
*Mr.Un1k0d3r** or 1 #*
|
Thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thank you for putting this together! I have been trying to get this to work; but am not having success. I'm using crowdstrike in my test environment and have compiled the cs unhooking C code into an EXE. Running it does not appear to unhook cs and allow post ex activities (like mimikatz) after the unhooking code is executed. Am I missing something? Is there a detailed usage guide for how to make use of this? Thanks to any who are able to provide some pointers!
The text was updated successfully, but these errors were encountered: