Quartz 4

security-Evading-EDR

6 min read

—- Title: Evading EDR draft: true —-

Excerpts

  • Applying Brittle vs. Robust Detections ‘Brittle detections are those designed to detect a specific artifact, such as a simple string or hash-based signature commonly associated with known malware. Robust detections aim to detect behaviors and could be backed by machine-learning models trained for the environment. Both detection types have a place in modern scanning engines, as they help balance false positives and false negatives.’

Fragment uit Evading EDR (for True Epub) Matt Hand Er zijn mogelijk auteursrechten op dit materiaal van toepassing.

  • Exploring Elastic Detection Rules

‘One of the only EDR vendors to publicly release its detection rules is Elastic, which publishes its SIEM rules in a GitHub repository. Let’s take a peek behind the curtain, as these rules contain great examples of both brittle and robust detections.’

Fragment uit Evading EDR (for True Epub) Matt Hand Er zijn mogelijk auteursrechten op dit materiaal van toepassing.

  • Agent Design

‘The static scanner   An application, or component of the agent itself, that performs static analysis of images, such as Portable Executable (PE) files or arbitrary ranges of virtual memory, to determine whether the content is malicious.’

Fragment uit Evading EDR (for True Epub) Matt Hand Er zijn mogelijk auteursrechten op dit materiaal van toepassing.

‘The hooking DLL   A DLL that is responsible for intercepting calls to specific application programming interface (API) functions.’

Fragment uit Evading EDR (for True Epub) Matt Hand Er zijn mogelijk auteursrechten op dit materiaal van toepassing.

‘The kernel driver   A kernel-mode driver responsible for injecting the hooking DLL into target processes and collecting kernel-specific telemetry.’

Fragment uit Evading EDR (for True Epub) Matt Hand Er zijn mogelijk auteursrechten op dit materiaal van toepassing.

‘The agent service   An application responsible for aggregating telemetry created by the preceding two components. ‘

Fragment uit Evading EDR (for True Epub) Matt Hand Er zijn mogelijk auteursrechten op dit materiaal van toepassing.

[Screenshot Figure 1-2 The basic agent architecture]

2 Function hooking-DLLs

‘rather than implementing syscall instructions in every function that needs to interact with the kernel, Windows provides them via functions in ntdll.dll. A function simply needs to pass the required parameters to this exported function; the function will, in turn, pass control into the kernel and then return the results of the operation.’

Fragment uit Evading EDR (for True Epub) Matt Hand Er zijn mogelijk auteursrechten op dit materiaal van toepassing.

‘In earlier versions of Windows, vendors (and malware authors) often placed their hooks on the System Service Dispatch Table (SSDT), a table in the kernel that holds the pointers to the kernel functions used upon invocation of a syscall.’

‘With the introduction of Windows XP in 2005, Microsoft made the decision to prevent the patching of SSDT, among a host of other critical structures, using a protection called Kernel Patch Protection (KPP), also known as PatchGuard, so this technique is not viable on modern 64-bit Windows versions. This means that traditional hooking must be done in user mode. Because the functions performing the syscalls in ntdll.dll are the last possible place to observe API calls in user mode, EDRs will often hook these functions in order to inspect their invocation and execution.’

Fragment uit Evading EDR (for True Epub) Matt Hand Er zijn mogelijk auteursrechten op dit materiaal van toepassing.

definition

Asynchronous procedure call (#APC):

An asynchronous procedure call (APC) is a function that executes asynchronously in the context of a particular thread. When an APC is queued to a thread, the system issues a software interrupt. The next time the thread is scheduled, it will run the APC function. An APC generated by the system is called a kernel-mode APC. An APC generated by an application is called a user-mode APC. A thread must be in an alertable state to run a user-mode APC.

https://learn.microsoft.com/en-us/windows/win32/sync/asynchronous-procedure-calls

howto

How to use APC for shellcode execution: https://redops.at/en/blog/shellcode-execution-via-asynchronous-procedure-calls

Dynamically resolving Syscall numbers

‘dynamically resolving syscall numbers at runtime’

(…)

‘This technique uses the following workflow to create a dictionary of function names and syscall numbers:

Get a handle to the current process’s mapped ntdll.dll. Enumerate all exported functions that begin with Zw to identify system calls. Note that functions prefixed with Nt (which is more commonly seen) work identically when called from user mode. The decision to use the Zw version appears to be arbitrary in this case. Store the exported function names and their associated relative virtual addresses. Sort the dictionary by relative virtual addresses. Define the syscall number of the function as its index in the dictionary after sorting.

Using this technique, we can collect syscall numbers at runtime, insert them into the stub at the appropriate location, and then call the target functions as we otherwise would in the statically coded method.’

Fragment uit Evading EDR (for True Epub) Matt Hand Er zijn mogelijk auteursrechten op dit materiaal van toepassing.

Remapping ntdll.dll

‘Another common technique used to evade user-mode function hooks is to load a new copy of ntdll.dll into the process, overwrite the existing hooked version with the contents of the newly loaded file, and then call the desired functions.’

Fragment uit Evading EDR (for True Epub) Matt Hand Er zijn mogelijk auteursrechten op dit materiaal van toepassing.

Evading Process- and Thread-Creation Callbacks

From the referenced blog https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/:

(…)

For example, here we have a process running with the command line cmd.exe /k echo Argument Spoofing. If we update the Length of the CommandLine field to 14, we see that ProcessExplorer is showing only cmd.exe as the command line argument.

Compile and use this code to spoof command line arguments and add explanatory comments to unknown code. 🧑‍💻

‘Chester’s blog post describes the following process for modifying the command line arguments used to invoke a process. First, you create the child process in a suspended state using your malicious arguments. Next, you use ntdll!NtQueryInformationProcess() to get the address of the child process’s PEB, and you copy it by calling kernel32!ReadProcessMemory(). You retrieve its ProcessParameters field and overwrite the UNICODE_STRING represented by the CommandLine member pointed to by ProcessParameters with spoofed arguments. Lastly, you resume the child process.’

Fragment uit Evading EDR (for True Epub) Matt Hand Er zijn mogelijk auteursrechten op dit materiaal van toepassing.

  • Process and threat notifications*
    • Thread notifications

      • Detecting remote thread creation

receive notifications about thread creation or termination via its driver by registering a thread-notification callback routine with either nt!PsSetCreateThreadNotifyRoutine() or the extended nt!PsSetCreateThreadNotifyRoutineEx(), which adds the ability to define the notification type.

Graph View

Backlinks

Recent Notes