Marcus Hutchins :verified: on Nostr: Here's a cool little Windows quirk that's useful for red teaming. You can use the ...
Here's a cool little Windows quirk that's useful for red teaming. You can use the HTTP.sys API to start a kernel mode HTTP servers which relays requests to your code via IOCTL. You don't even need admin privileges to do it!
Since the kernel handles all the socket operations for you, the listening port will show as belonging to the System process, as will the associated network traffic. Since all communication with HTTP.sys can be done via IOCTL, there's no need for sockets, pipes, or even any DLLs. All you need are syscalls.
Best part is, if you're administrator and the server is running an application like IIS or Exchange, you can bind to the same port and add your own custom endpoint (url paths) to it. Normal requests will go to the original application, but requests to your custom endpoint are sent to your code instead.
Since the kernel handles all the socket operations for you, the listening port will show as belonging to the System process, as will the associated network traffic. Since all communication with HTTP.sys can be done via IOCTL, there's no need for sockets, pipes, or even any DLLs. All you need are syscalls.
Best part is, if you're administrator and the server is running an application like IIS or Exchange, you can bind to the same port and add your own custom endpoint (url paths) to it. Normal requests will go to the original application, but requests to your custom endpoint are sent to your code instead.