Windows 10 preview

Honestly when somebody said recently “hey did you know that Windows 10 was released…” I thought he was joking. It was released, the guy was not joking, and I suddenly had this thought if I have jumped ahead of time somehow. Wake me up when there is Windows 1000, or Windows 1k…. hey there was Windows 2000 …. uuuh. Lets just call it WinX for now (How about a Greek WinI mutation ? :) )

The only tests I have done so far were running the custom meterpreter loader from here Customizing custom Meterpreter loader

We get a successful reverse shell and can do all bunch of things with the meterpreter shell (sniffing, migrating, killing processes…etc) thus bypassing the in-build Windows Defender. Interesting thing is this:

meterpreter > ps

Process List
============

 PID PPID Name Arch Session User Path
 --- ---- ---- ---- ------- ---- ----
 0 0 [System Process] 4294967295
 4 0 System x86_64 0
 228 4 smss.exe x86_64 0
 264 496 svchost.exe x86_64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
 312 304 csrss.exe x86_64 0
 380 372 csrss.exe x86_64 1
 392 304 wininit.exe x86_64 0
 424 372 winlogon.exe x86_64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe
 496 392 services.exe x86_64 0
 504 392 lsass.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
 572 496 svchost.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
 616 496 svchost.exe x86_64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
 660 496 spoolsv.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
 712 424 dwm.exe x86_64 1 Window Manager\DWM-1 C:\Windows\System32\dwm.exe
 780 496 svchost.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
 828 496 svchost.exe x86_64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
 844 496 svchost.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
 876 496 svchost.exe x86_64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
 920 496 svchost.exe x86_64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
 1028 780 WMIADAP.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wbem\WMIADAP.exe
 1348 2968 SearchFilterHost.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\SearchFilterHost.exe
 1376 496 MsMpEng.exe x86_64 0
 1600 496 svchost.exe x86_64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
 1740 844 dasHost.exe x86_64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\dasHost.exe
 1920 496 svchost.exe x86_64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
 2240 572 WmiPrvSE.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wbem\WmiPrvSE.exe
 2312 572 dllhost.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dllhost.exe
 2428 2544 payload.exe x86 1 WIN-MH5TUAFR3AP\user C:\Users\user\Desktop\payload.exe
 2452 2968 SearchProtocolHost.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\SearchProtocolHost.exe
 2524 780 taskhostex.exe x86_64 1 WIN-MH5TUAFR3AP\user C:\Windows\System32\taskhostex.exe
 2544 2500 explorer.exe x86_64 1 WIN-MH5TUAFR3AP\user C:\Windows\explorer.exe
 2968 496 SearchIndexer.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\SearchIndexer.exe


meterpreter >

There are some processes that are inaccessible even with NT AUTHORITY\SYSTEM rights.

 312 304 csrss.exe x86_64 0
 380 372 csrss.exe x86_64 1
 392 304 wininit.exe x86_64 0

We cannot migrate to these processes, so I guess they are separated on the kernel level from the userland.

Here is a video demonstration of the above