Hacker News new | ask | show | jobs
by novaleaf 2639 days ago
from the article:

> While monitoring alerts related to kernel-mode attacks, one alert drew our attention:

>The alert process tree showed an abnormal memory allocation and execution in the context of services.exe by a kernel code. Investigating further, we found that an identical alert was fired on another machine around the same time.

This shows code injection taking place, via the exploited code. You are right that they don't mention what code was injected (probably they don't know)
1 comments
monocasa 2639 days ago
> via the exploited code

Their scanner doesn't show any exploitation happening, and they don't say that it does.

link
novaleaf 2638 days ago
I admit that I am reading into the line "abnormal memory allocation and execution" and thinking it's intentional.

You are right that they don't seem to know what code was being executed. Just that some code (be it real code or random garbage) was injected and executed.

link
monocasa 2636 days ago
It's intentional; it's not "exploitation". It's really doing privilege deescalation of the shellcode.

They know the code it's running for the most part, it's the CreatProcessW stuff they talk about.

link