T1574 Hijack Execution Flow Mappings

Memory integrity is a Virtualization-based security feature that protects and hardens Windows by running kernel mode code integrity within the isolated virtual environment of VBS (VBS uses Intel VT-x). Memory integrity also restricts kernel memory allocations that could be used to compromise the system. Memory integrity is sometimes referred to as hypervisor-protected code integrity (HVCI). VBS provides an isolated environment that acts as a root-of-trust for the OS and its core components. It is enabled by Intel VT-x, VT-x2 with Extended Page Tables, SMMUs (Intel VT-d) and Secure Boot (Intel Boot Guard). Memory Integrity protects against behaviors that involve exploitation of kernel components including core drivers in memory, changing security configurations and running untrusted code (based on signatures). "HVCI protects modification of the Control Flow Guard (CFG) bitmap for kernel mode drivers. Protects the kernel mode code integrity process that ensures that other trusted kernel processes have a valid certificate." "Hypervisor-protected code integrity introduces a new rule that no kernel memory pages are both writeable and executable, which eliminates an entire category of attacks that dynamically generate code. Additionally, HVCI comes enabled with a code integrity security policy that blocks drivers known to be used in kernel tampering, including Mimikatz, the old vulnerable VBox driver, and the Capcom driver commonly used in rootkits. Ultimately, HVCI provides optimal protection for the kernel against tampering and escalation of privilege attacks. ... With HVCI enabled, attempts to modify the process structures will fail, preventing the protected process flag from being removed, which prevents process memory inspection or module injection into LSA." HW Enforced stack protection (HWESP) relies on Virtualization Based Security (VBS) which use Intel PTT, Intel VT-x, Intel VT-d and Intel BootGuard to ensure the OS components loaded are not tampered with and isolate security sensitive processes. Additionally, it uses Intel Control Flow Enforcement Technology (Intel CET) to allow hardware to ensure that sensitive areas in the regions of memory (such as the stack) for processes are not tampered with by either injecting code or changing the control flow of the code or both. HWESP includes four components Code Integrity Guard, Arbitrary Code Guard, Control Flow Guard and Shadow Stack protections. Code Integrity Guard attempts to prevent "... arbitrary code generation by enforcing signature requirements for loading binaries". Arbitrary Code Guard attempts to ensure "... signed pages are immutable and dynamic code cannot be generated ...". Control Flow Guard ensures control flow integrity by enforcing "... integrity on indirect calls (forward-edge CFI)." Shadow Stack ensures control flow integrity by enforcing "... integrity on return addresses on the stack (backward-edge CFI)." Together these features aim to ensure integrity of binary images run on Windows 11 and prevent dynamic code from running or changing the control flow of the code. Since these features offer real-time protection for sensitive regions of memory, these are marked as offering significant protection.

Memory integrity is a Virtualization-based security feature that protects and hardens Windows by running kernel mode code integrity within the isolated virtual environment of VBS (VBS uses Intel VT-x). Memory integrity also restricts kernel memory allocations that could be used to compromise the system. Memory integrity is sometimes referred to as hypervisor-protected code integrity (HVCI). VBS provides an isolated environment that acts as a root-of-trust for the OS and its core components. It is enabled by Intel VT-x, VT-x2 with Extended Page Tables, SMMUs (Intel VT-d) and Secure Boot (Intel Boot Guard). Memory Integrity protects against behaviors that involve exploitation of kernel components including core drivers in memory, changing security configurations and running untrusted code (based on signatures). "HVCI protects modification of the Control Flow Guard (CFG) bitmap for kernel mode drivers. Protects the kernel mode code integrity process that ensures that other trusted kernel processes have a valid certificate." "Hypervisor-protected code integrity introduces a new rule that no kernel memory pages are both writeable and executable, which eliminates an entire category of attacks that dynamically generate code. Additionally, HVCI comes enabled with a code integrity security policy that blocks drivers known to be used in kernel tampering, including Mimikatz, the old vulnerable VBox driver, and the Capcom driver commonly used in rootkits. Ultimately, HVCI provides optimal protection for the kernel against tampering and escalation of privilege attacks. ... With HVCI enabled, attempts to modify the process structures will fail, preventing the protected process flag from being removed, which prevents process memory inspection or module injection into LSA." HW Enforced stack protection (HWESP) relies on Virtualization Based Security (VBS) which use Intel PTT, Intel VT-x, Intel VT-d and Intel BootGuard to ensure the OS components loaded are not tampered with and isolate security sensitive processes. Additionally, it uses Intel Control Flow Enforcement Technology (Intel CET) to allow hardware to ensure that sensitive areas in the regions of memory (such as the stack) for processes are not tampered with by either injecting code or changing the control flow of the code or both. HWESP includes four components Code Integrity Guard, Arbitrary Code Guard, Control Flow Guard and Shadow Stack protections. Code Integrity Guard attempts to prevent "... arbitrary code generation by enforcing signature requirements for loading binaries". Arbitrary Code Guard attempts to ensure "... signed pages are immutable and dynamic code cannot be generated ...". Control Flow Guard ensures control flow integrity by enforcing "... integrity on indirect calls (forward-edge CFI)." Shadow Stack ensures control flow integrity by enforcing "... integrity on return addresses on the stack (backward-edge CFI)." Together these features aim to ensure integrity of binary images run on Windows 11 and prevent dynamic code from running or changing the control flow of the code. Since these features offer real-time protection for sensitive regions of memory, these are marked as offering significant protection.

CVE-2020-5735 is a stack-based buffer overflow vulnerability in Amcrest cameras and NVR that allows an authenticated remote attacker to possibly execute unauthorized code over port 37777 and crash the device.

This vulnerability is exploited via an integer overflow.

CVE-2022-41328 is a path traversal vulnerability that allows a privileged attacked to read and write to files on the underlying Linux system via crafted CLI commands. Adversaries have been observed modifying files that establish persistence upon boot. The malicious files provide the adversaries with the capabilities of: data exfiltration, download/write files, remote shell, and discovery of network connections.

CVE-2022-42475 is a remotely-expoitable heap overflow vulnerability. Adversaries have been observed exploiting this vulnerability to deliver malicious software to the target device. This malicious software has observed anti-debugging and command and control capabilities (over HTTP).

This vulnerability allows adversaries to execute arbitrary code via specially crafted http requests that trigger an out of bounds write.

This buffer overflow vulnerability allows adversaries to remotely execute arbitrary code via specially crafted requests. Adversaries have been observed adding accounts to config files

This vulnerability allows for unauthenticated remote code execution. This can be exploited via an HTTP GET request that triggers a stack buffer overflow. Adversaries have been observed to use this exploitation to drop a webshell on a target machine and subsequently discover, collect, and exfiltrate active directory data.

This buffer overflow vulnerability can be exploited to cause a denial of service.

This is a buffer overflow vulnerability that results in unauthorized disclosure of memory, including session tokens.

CVE-2017-6742 is a Simple Network Management Protocol (SNMP) vulnerability in Cisco products related to a buffer overflow condition in the SNMP subsystem. Reported by the NCSC, threat actors exploited CVE-2017-6742 to perform reconnaissance, enumerate router interfaces and deploy custom malware known as "Jaguar Tooth", as detailed in the NCSC’s Jaguar Tooth malware analysis report. This malware obtains further device information which is then exfiltrated over trivial file transfer protocol (TFTP) and enables unauthenticated access via a backdoor.