RSS Security

🔒
❌ About FreshRSS
There are new articles available, click to refresh the page.
Before yesterdayUncategorized

A Review of the Sektor7 RED TEAM Operator: Windows Evasion Course

3 May 2021 at 15:20

A Review of the Sektor7 RED TEAM Operator: Windows Evasion Course

Introduction

Another Sektor7 course, another review! This time it’s the RED TEAM Operator: Windows Evasion Course. You can catch my previous reviews of the RTO: Malware Development Essentials and RTO: Malware Development Intermediate courses as well.

Course Overview

This course, like the previous ones, builds on the knowledge gained in the previous courses. You don’t need to have taken the others if you already have a background in malware development, C++, assembly, and debugging, but if you haven’t, this will very likely be too advanced. The Essentials course might be much more your speed.

Here’s what Windows Evasion covers, according to the course page:

- How a modern detection looks like
- How to get rid of process' internal operations monitoring
- How to make your payload look benign in memory
- How to break process parent-child relation
- How to disrupt EPP/EDR logging
- What is Sysmon and how to bypass it

The course is split into 3 main sections: essentials, non-privileged user vector, and high-privileged user vector. I’ll cover each one, and then provide some thoughts on the course as a whole and the value it provides.

Section 1: Essentials

The course begins as usual, with links to the code and a custom VM with all the tools you’ll need. The first lesson is detail on how modern EDR detection works, covering the different user-mode and kernel-mode components, static analysis, DLL injection, hooking, kernel callbacks, logging, and machine learning. This is as good an overview of the end to end setup of EDRs as I’ve seen. It lays the foundation for the subsequent topics in a nice logical way. It also covers the differences between EDRs and AV, how Sysmon fits in, and how the line between AV and EDRs is becoming more blurred.

Next in essentials, the focus is on defeating various static analysis techniques, specifically entropy, image file details, and code signing. The idea is to make your malicious binary as similar to known-good binaries as possible, with special attention paid the the elements that are commonly flagged by static analysis. None of this is ground-breaking or totally novel, but it does drive home the idea that details matter, and they can add up to successfully achieving execution on a target or being caught.

Section 2: Non-Privileged User Vector

Un/Hooking

The second section covers a range of techniques that can be performed without needing elevated privileges. It begins with an explanation and demonstration via debugger of system call hooking, as performed by the main AV/EDR stand-in for the course, BitDefender. Bitdefender is a good option here, as a trial license is freely available, and it does more EDR-like things than a normal AV, like hooking.

Next, several different methods of defeating user-mode hooking are demonstrated, beginning with the classic overwriting of the .text section of ntdll.dll, which I’ve also covered here. The main disadvantage of this method is the need to map an additional new copy of ntdll.dll into the process address space, which is rather unusual from an AV/EDR perspective.

One alternative to this is to use Hell’s Gate, by Am0nsec and Smelly. This method uses some clever assembly to dynamically resolve the syscall number of a given function from the local copy of ntdll.dll and execute it. However this method has some drawbacks as well, mainly the fact that it will fail if the function to be resolved has already been hooked.

Reenz0h has a neat new modification (new to me at least!) to Hell’s Gate that gets around this problem, which he calls Halo’s Gate. It takes advantage of the fact that the system calls contained within ntdll.dll are sorted in numerically ascending order. The trick is to identity that a syscall has been hooked by checking for the jmp opcode (0xE9), and then traversing ntdll.dll both ahead and behind the target syscall. If an unhooked syscall is found 8 functions after the target, and its value is 0xFD, then by subtracting 8 from 0xFD, the the resulting 0xFD is our target syscall number. The same applies for a syscall before the target function. As no EDR hooks every syscall, eventually a clean one will be found and the target syscall number can be successfully calculated. This property of ordered syscall numbers in ntdll.dll is exploited to great effect in Syswhispers2. It was originally documented by the prolific modxp in a blog post here.

The last method of unhooking is a twist on the first, named, and I quote, “Perun’s Fart”. The goal is to get a clean copy of ntdll.dll without mapping it into our process again. It turns out that if a process is created in a suspended state, ntdll.dll is mapped by the Windows loader as part of the normal new process creation flow, but EDR hooks are not applied, since the main thread has not yet begun execution. So we can steal its copy of ntdll.dll and overwrite our local hooked version. Obviously this is a trade off, as this method will create a new process and involve cross-process memory reads. Still, it’s good to have multiple options when it comes to unhooking.

ETW Bypass

Next up is coverage of Event Tracing for Windows (ETW), how it can rat you out to AV/EDR, and how to blind it in your local process. ETW is especially relevant when executing .NET assemblies, such as in Cobalt Strike’s execute-assembly, as it can inform defenders of the exact assembly name and methods executed. The solution in this case is simple: Patch the ETWEventWrite function to return early with 0 in the RAX register. Anytime an ETW event is sent by the process, it will always succeed, without actually sending the message. Sweet and simple.

Avoiding IOCs

The last few videos of Section 2 cover different methods of hiding some specific indicators that can reveal the presence of malicious activity. First is module stomping. This is a way of executing shellcode from within a loaded DLL, avoiding the telltale sign of memory allocations within the process that are not backed by files on disk. A DLL that the host process does not use is loaded, then partially hollowed out and replaced with shellcode. Since the original DLL is properly loaded, no indication of injected shellcode is present.

Lastly this section covers hiding parent-child process ID relationships. The usual method is covered for PPID spoofing, using UpdateProcThreadAttribute to set the PPID to an arbitrary parent process. However two other methods I’d not encountered were covered as well. First, it turns out that processes created by the Windows task scheduler become a parent of the task scheduler svchost.exe process, and code is provided to use the Win32 API to execute a payload this way. The other method is one used by Emotet, which uses COM to programatically run WMI and create a new process. The parent in this case is the WmiPrvSE.exe process.

Section 3: High-Privileged User Vector

This section covers a variety of techniques that are available in high-privilege contexts. The focus is on Windows Eventlog, interrupting AV/EDR network communication, and Sysmon.

Eventlog

One video covers a method of hiding your activities from the Windows Eventlog. The idea is that the service that service responsible for Eventlog, Windows Event Log, has several threads that handle the processing of event log messages. By suspending these threads, the service continues to run, but does not process any events, thus hiding our activity. One caveat is that if the threads are resumed, all events that were missed in the interim will be processed, unless the machine is rebooted.

AV/EDR Network Communication

The next section looks at severing the connection between AV/EDR and its remote monitoring/logging server. This is done in two primary ways: adding Windows Firewall rules, and sink-holing traffic via the routing table. These two are pretty self-explanatory, but the real value here is the code samples provided for doing this in C/C++. The infamous and terrible COM is used in several places, and provides a good working example of COM programming. Creating routing table entries is actually a simple Win32 API call away.

Sysmon

The final section of the course covers identifying and neutralizing Sysmon. Sysmon is an excellent tool and frequently the backbone of many AV/EDR collection strategies, so identifying its presence and disabling its capabilities can go a long way in hiding your activities.

One problem for attackers is that Sysmon by design can be concealed in various ways. The name of the user-mode process, the minifilter driver name, and its altitude can all be modified to hide Sysmon’s presence. However there are enough reliable ways, like checking registry keys, to identify it. Code and commands are provided to find the registry keys and several techniques for shutting down Sysmon as well. One is to unload the minifilter driver. Another harks back to earlier in the course and shows how to patch our friend ETWEventWrite.

Takeaways

If you’ve read my other reviews of Sektor7 courses, you know what I’m going to say here. They are fantastic, and a fantastic value for the money as well, as most are around $200-250 USD. You can buy all 5 current courses for less than almost any other training out there, and 2573 times less than a single SANS course. You get lifetime access, and most importantly, the code samples. This to me is by far the single most valuable part of the course. Reenz0h is a great instructor with a wealth of knowledge and a great presentation style, but the true gift he gives you is a firm foundation of working code samples to build from and the context of how they are used. This course specifically covers basic COM programming in as understandable a way as COM can be covered, in my opinion. I’ve found that I learn best when I have some working code to tweak, play with, lookup its functions on MSDN, and mold it until it does what I want. No, the samples are not production ready and undetectable in every case, but these course give you the tools to make them that way and integrate them into your own tooling.

Conclusion

Props again to reenz0h and the Sektor7 crew. I’m glad they took a poll of their students and delivered a more advanced course. I get the feeling there is a ton more advanced material they could crank out, and I can’t wait for it.

Beyond good ol’ Run key, Part 134

3 May 2021 at 19:19
By: adam
This one is for historical reasons, primarily. Old Adobe Photoshop/ImageReady used to have a feature called “Jump to” which is neatly described here. The feature was implemented via a simple […]

Non-debugging uses of CDB

3 May 2021 at 12:25
By: adam
Catching up with another tweet from 3 months ago. VMWare Workstation installs cdb.exe debugger for you – you can play around with its features if you happen to find it […]

Debug Environment Variable are \o/

3 May 2021 at 11:56
By: adam
Looking at the list of debug environment variables one can immediately spot a lot of room for abuse. One can hypothesize that setting e.g. _NT_SYMBOL_PATH, _NT_ALT_SYMBOL_PATH, _NT_SYMBOL_PROXY, SRCSRV_INI_FILE to point […]

SleepStudy logs

3 May 2021 at 11:09
By: adam
Update After I posted it, Bryan linked to this article which explains how to generate SleepStudy report. Thx! Old Post A few days ago I came across ETL logs I […]

Kooperation: Corporate Trust & HanseSecure

2 May 2021 at 18:45

Wir freuen uns seit dem 26.04.2021 die Kollegen von der „Corporate Trust Business Risk & Crisis Management GmbH“ als unseren ersten technischen Partner vorzustellen:

I am very happy to introduce our very first technical cooperation partner:@CorporateTrust

They will support us in the area of incident response, forensic and risk management so that we can keep our focus on offensive Security.#infosec #blueteam #redteam pic.twitter.com/31eF5UBrrh

— Florian Hansemann (@CyberWarship) April 26, 2021

Hier eine kurze Darstellung unserer neuen Kollegen:

Corporate Trust

Die Corporate Trust ist Ihr strategischer Partner im Risiko- und Krisenmanagement. Als Unternehmensberatung für Sicherheitsdienstleistungen unterstützen wir Unternehmen, Organisationen und Privatpersonen im High-Level-Security-Bereich

Sicherheitskonzepte sollten so effektiv und diskret sein, dass Sie ihre Existenz am besten gar nicht wahrnehmen. Genau das ist unsere Mission: Wir wollen eine Umgebung schaffen, in der Sie sich absolut sicher und ungestört auf Ihre Ziele und die Ziele Ihres Unternehmens konzentrieren können. Im Mittelpunkt steht dabei immer der Mensch.

Leistungen Corporate Trust

  • Digital Forensics & Incident Response
    Das wo wir Deine Leistungen am Besten ergänzen können ist sicherlich unser DFIR Leistungsspektrum. Unser Angebot: tiefgehende forensische Untersuchungen sowohl im Netzwerk als auch host-based, Projektleitung oder Beratung zur möglichst schnellen Wiederherstellung des Business in einer sicheren Umgebung und eine professionelle Verhandlung mit Erpressern soweit ein erfahrenes Krisenkommunikationsteam.
  • Klassische Sicherheit
    Im Speziellen die Angebote unserer Kollegen aus der klassischen Sicherheit können bei Deinen Kunden sicherlich auch interessant sein: Geldrückholungen bei Business Email Compromise (Fake President, Payment oder Goods Diversion), Background Checks von Geschäftspartnern oder Verflechtungsanalysen von verdächtigen Personen.

Zusammen mit unseren spezialisierten Fähigkeiten im Bereich Offensive Security & Security Research decken wir nun alle Gebiete im Bereich Security & IT-Security ab!

Wir freuen uns auf eine tolle Zusammenarbeit und spannende gemeinsame Projekte!

Cur\o/bin

2 May 2021 at 13:53
By: adam
This post wraps up another Twitter thread I started a few days ago: If you ever get bored using “copy” to copy files you can always use … curl: curl […]

Throwing LOLBIN a tar ball

2 May 2021 at 13:42
By: adam
This post summarizes some of the findings I posted on Twitter the other day. While looking at Windows version of tar.exe I discovered that it includes lots of undocumented command […]

Gup \o/ bin

2 May 2021 at 13:39
By: adam
Notepad ++ comes with a built-in Updater called GUP typically located here: c:\Program Files (x86)\Notepad++\updater\GUP.exe It is a generic downloader that accepts a range of command line arguments, and while […]

FTP.EXE Lolbin v2

2 May 2021 at 11:38
By: adam
@0gtweet‘s tweet inspired me to look at lolbin stuff again (as it is often the case). So… everyone knows we can use ftp.exe as a lolbin and using COMSPEC trick […]

Talk: GO Business Nr. 175

24 April 2021 at 21:33

Gute Digitalisierung. Böse Digitalisierung.

Nachdem ich vor mittlerweile 4 Jahren meinen letzten Vortrag bei einer GoBusiness Veranstaltung gehalten habe, freue ich mich sehr, dass ich erneut eingeladen worden bin.

Dieses mal gibt es zwar keinen Live-Hack, aber die Inhalte sind umso spannender 😉
Falls Jemand noch Zeit & Lust hat, am 29.04.2021 dabei zu sein: Hier gehts zur kostenfreien Anmeldung.

Die Slides gibt es hier wie üblich anschließend zum Download.

Slides

Noch mehr Infosec gibt es bei meinem Twitter Account 😉

Playing CAPAeira with Yara rules

20 April 2021 at 21:46
By: adam
Writing Yara rules is easy. Writing good Yara rules is … testing – both as an adjective and a verb. There is a class of Yara rules – the one […]

Talk: IT-Sicherheitsmanagement in Versicherungen

10 April 2021 at 22:31

Ich freue mich sehr am 07.05.2021 bei der Webkonferenz für IT-Sicherheitsmanagement in Versicherungen einen Vortrag halten zu dürfen.

Der Teilnehmerkreis besteht aus namenhaften Versicherungen und ich bin auf anregende Disskussionen gespannt.

Wie üblich werde ich diesen Beitrag anschließend mit meinen Slides ergänzen.

Here we go 😉

Yara & maldoc pics

7 April 2021 at 22:06
By: adam
Update It took only a few minutes for @0xkyle to point me to Halogen project. Nice one! Old post This is a little trick that you may find handy for […]

ELF sections stats

13 March 2021 at 23:02
By: adam
If you follow my blog you may know that I have dedicated a lot of time building a very comprehensive list of PE Sections, Today I realized that I never […]

Beyond good ol’ Run key, Part 133

5 March 2021 at 23:18
By: adam
Java programs compiled into executable form using launch4j have a few interesting features that make them a good target for both persistence and LOLBIN-ish activities. When the executable starts it […]

Event ID 7039 – out…pid a pid

26 February 2021 at 19:18
By: adam
This event is not very well explained on the internet, so I took a liberty of describing it below: The event message is as follows: A service process other than […]
❌