Topics Overview
About Me
Learning Resources
Windows Fundamentals
Malware Development
Initial Access
Post-Exploitation
Kernel Driver
About Me
Learning Resources
Best-in-Class Training
Maldev Academy: https://maldevacademy.com/
Zero-Point Red Team Ops II: https://training.zeropointsecurity.co.uk/courses/red-team-ops-ii
Sektor7 Institute Courses: https://institute.sektor7.net/
Free Resources
AV/EDR Evasion Overview: https://youtu.be/CKfjLnEMfvI
PDF Presentation: https://conference.hitb.org/hitbsecconf2022sin/materials/D1T1%20-%20EDR%20Evasion%20Primer%20for%20Red%20Teamers%20-%20Karsten%20Nohl%20&%20Jorge%20Gimenez.pdf
Evading Static and Dynamic Analysis: https://www.youtube.com/watch?v=E6LOQQiNjj0
Hands-On Lab: https://jfmaes-1.gitbook.io/reflection-workshop/
Evading Behavioural Analysis: https://youtu.be/LXfhyTpQ7TM
Putting it All Together - Custom Shellcode Injector: https://youtu.be/Mtox3EHeYk4
"Map" of Techniques: https://github.com/matro7sh/BypassAV
Windows Fundamentals
Software Architecture
Hardware Components: CPU (CU, registers, ALU), memory, disk
Binary 11010001010010101100
Assembly push ebp mov ebp,esp
Intermediate Bytecode
Compiled (unmanaged) Languages: C, C++, Go, Rust
JIT-Compiled Languages: C#, Java, Python (pypy)
Interpreted/Hybrid Languages: Python (cpython), Ruby, JavaScript
Portable Executable (PE)
Data Directories
Sections
PE File Types
Function Call Flow (Windows API)
Kernel
User
ntdll.dll
NtCreateThreadEx
syscall
kernel32.dll
CreateRemoteThread
program.exe
ntoskrnl.exe
User DLL
NTDLL
Malware Development
Injection
Two options:
Generate malicious shellcode or DLL with C2
Malware should
Types of Detections
Antivirus (AV)
Endpoint Detection and Response (EDR)
the above and
Static Analysis
Known Malicious “Signature”
or
obfuscation
encryption
staging ⇒ download malicious code
Finding Malicious Signatures
Windows Defender
Static Analysis
Import Address Table
flag known bad API call combos: VirtualAlloc, VirtualProtect, CreateThread
Static Analysis
Import Address Table
flag known bad API call combos: VirtualAlloc, VirtualProtect, CreateThread
load imports at runtime ⇒ GetProcAddress and LoadLibrary/GetModuleHandle
Problems and Solutions
Problem 1: CreateThread text still exists in PE file�Solution: declare it differently
Problem 2: GetProcAddress and GetModuleHandle might be flagged�Solution: create your own implementation
Problem 3: CreateThread text still exists in process memory�Solution:�Two alternatives
Dynamic Analysis
Runs code in a sandbox (contained environment)
not emulated by sandbox
Command & Control (C2) Beacon
assume somebody is monitoring network traffic
Goals
How To
Behavioural Analysis
*in-memory tradecraft* → touch disk as little as possible
Local Process Injection Advantages
(e.g. needs to be in suspended state)
Remote Process Injection Advantages
Memory Indicators of Maliciousness
executable memory regions for msedge.exe
write code to RW memory → change permissions to RX → run code� VirtualProtect | VirtualProtectEx
module overloading/stomping: load DLL → overwrite DLL with code
Call Stack Indicators of Maliciousness
sample thread call stack for msedge.exe
call stack spoofing ⇒ fake thread call stack when sleeping�create backup of thread stack → overwrite thread stack → sleep → restore thread stack
https://www.cobaltstrike.com/blog/behind-the-mask-spoofing-call-stacks-dynamically-with-timers
API Hooks (User DLL)
Kernel
User
ntdll.dll
NtCreateThreadEx
syscall
kernel32.dll
CreateRemoteThread
program.exe
ntoskrnl.exe
User DLL
NTDLL
EDR
log CreateRemoteThread
take action (optional)
Circumventing API Hooks (User DLL)
Use NTDLL functions instead!
Circumventing API Hooks (User DLL)
Kernel
User
ntdll.dll
NtCreateThreadEx
syscall
kernel32.dll
CreateRemoteThread
program.exe
ntoskrnl.exe
User DLL
NTDLL
EDR
log CreateRemoteThread
take action (optional)
API Hooks (NTDLL)
Kernel
User
ntdll.dll
NtCreateThreadEx
syscall
kernel32.dll
CreateRemoteThread
program.exe
ntoskrnl.exe
User DLL
NTDLL
EDR
log NtCreateThreadEx
take action (optional)
Circumventing API Hooks (NTDLL)
A few options
Manual Mapping
Syscalls
Direct Syscall
Kernel
User
ntdll.dll
NtCreateThreadEx
syscall
kernel32.dll
CreateRemoteThread
program.exe
syscall
ntoskrnl.exe
User DLL
NTDLL
EDR
log NtCreateThreadEx
take action (optional)
Indirect Syscall
Kernel
User
ntdll.dll
NtCreateThreadEx
syscall
kernel32.dll
CreateRemoteThread
program.exe
ntoskrnl.exe
User DLL
NTDLL
EDR
log NtCreateThreadEx
take action (optional)
Easy Win?
malicious DLLs are much less detected than EXEs
DLL Hijacking
Advantage: no clear attack chain → initial DLL drop and malicious actions are separate
DLL Hijacking
Hijackable DLLs: https://hijacklibs.net
Initial Access
Entry Points
Attacking Machines
Attacking People: Social Engineering
Restricting Runnable Files
AppLocker ⇒ helps prevent users from running unapproved software
vs
Windows Defender Application Control (WDAC) ⇒ official security feature�versions > Windows 10 and Windows Server 2016 only
Circumventing AppLocker/WDAC
Options:
reversing WDAC rules: CIPolicyParser
LOLBAS
Microsoft recommended blocklist: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac
PowerShell Constrained Language Mode (CLM)
“a language mode of PowerShell designed to support day-to-day administrative tasks, yet restrict access to sensitive language elements that can be used to invoke arbitrary Windows APIs”
Enforcing PowerShell CLM
Bypasses
Attack Surface Reduction (ASR)
rules that restrict certain actions
Types of Exclusions
Sample Rules
Determining Enabled Rules
obtain from GPO or locally in registry
rule to GUID matrix: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#asr-rule-to-guid-matrix
Circumventing ASR
Options:
Example Block all Office applications from creating child processes
Ideas: https://blog.sevagas.com/IMG/pdf/bypass_windows_defender_attack_surface_reduction.pdf
Win32 API calls in MS Office: https://github.com/med0x2e/GadgetToJScript
To Be Added (post-exploitation)
This Presentation
https://docs.google.com/presentation/d/1FATzBCzp1nPhXFKdcj9M96Pl1fUjoxNGep6sQr6c-As/
John’s LinkedIn
Cobalt Strike Resources