About Aquatanto
Aquatanto is a kernel memory modification beacon object file (BOF) that leverages a vulnerable kernel signed driver to selectively read/write data in kernel memory. Aquatanto performs its activities by always loading a parallel NTDLL.DLL image to ensure that no defensive solution user-mode hooking can detect activities.
Aquatanto is being compiled in the CobaltStrikeKits repo. Using it requires three files on the testers Cobalt Strike or Nighthawk client system. These files are “Aquatanto.cna”, “Aquatanto.obj”, and the vulnerable driver “RTCore64.sys”.
If you wish to examine the source code repository, it is available here: Upayan Saha / AQUATANTO · GitLab (nopsled.me)
Aquatanto can only be used if the tester has first gained local privilege escalation, uploaded the vulnerable driver (currently named: RTCore64.sys) to the %SYSTEMDRIVE%\Windows\System32\Drivers directory, and loaded the driver.
Here is a recorded demo of using the tool. https://s1hb.sharepoint.com/sites/Testers/Shared Documents/General/Aquatanto Demo.mp4
Suggested Report Text
After escalating privileges, BHIS was able to upload a vulnerable kernel driver to the %SYSTEMDRIVE%\Windows\System32\Drivers directory. The vulnerable driver provided an attack path for custom tooling to modify kernel memory.
Using this access, the tester was able to disable LSASS process protection, event tracing, and selectively suppress kernel notifications for defense products. Suppression included items like process creation, thread creation, image loading, registry operations, and object creation notification callbacks. After completing these activities, the tester unloaded and deleted the driver file.
Because kernel memory has been tampered with on {{Target}}, BHIS strongly recommends that {{Target}} be rebooted at the conclusion of testing activities.
More Details
Aquatanto has two global features, and five other defense driver related features.
The global features allow the operator to:
- Disable process protection (PPL) on any process. The default discovered process is LSASS.EXE however a PID can also be specified.
- Disable Windows Event Tracing globally.
From a per-defensive solution driver perspective, the BOF allows the operator to:
- Disable the process creation kernel notification callbacks.
- Disable the thread creation kernel notification callbacks.
- Disable the image load kernel notification callbacks.
- Disable the registry operations kernel notification callbacks.
- Disable the Windows object manager kernel notification callbacks.
Defensive solution drivers are identified by a hash of the starting address of the specific driver. As of right now, the following defensive products can be tampered with.
- Crowd Strike
- Windows Defender
- Windows Defender ATP
- Sysmon
Other defensive solution drivers will be added over time.