Tech

Hack Microsoft by using Microsoft signed binaries


Tech 3 (801B) October 18, 2016 3:55 pm - 4:55 pm Feedback   

Bookmark and Share

Pierre-Alexandre Braeken

PowerMemory is a PowerShell post-exploitation tool. It uses Microsoft binaries and as such is able to execute on a machine, even after the Device Guard Policies have been set. In the same way, it will bypass antivirus detection.
PowerMemory can retrieve credentials information and manipulate memory. It can execute shellcode and modify process in memory (in userland and kernel land as a rootkit). PowerMemory will access everywhere in user-land and kernel-land by using the trusted Microsoft debugger aka cdb.exe which is digitally signed.