Topics Overview

About Me

Learning Resources

Windows Fundamentals

• Software Architecture
• Portable Executable
• Function Call Flow

Malware Development

• Injection
• Static Analysis
• Known Signatures
• IAT Obfuscation
• Dynamic Analysis
• Sandbox Detection
• Behavioural Analysis
• RWX Memory
• Thread Call Stack
• API Hooks: Unhooking & Syscalls
• DLL Hijacking

Initial Access

• Common Entry Points
• AppLocker and WDAC
• PowerShell CLM
• Attack Surface Reduction (ASR)

Post-Exploitation

• PPID and Argument Spoofing
• AMSI Bypass
• ETW Bypass
• Protected Processes
• Unprotect LSASS with

Kernel Driver

• Driver Signature Enforcement

About Me

• M.S. in Computer Engineering from Illinois Tech
• OSCP, CRTO, CRTL Certified
• Offensive Security Researcher at FalconOps
• Red Team volunteer for Collegiate Cyber Defense Competition (CCDC)
• Midwest and Mid-Atlantic regions
• Hobbyist
• martial arts
• horseback riding
• dance (tap, hip-hop, ballroom, etc)
• instruments (piano, violin, viola, accordion, etc)
• art (drawing/painting, origami)

Learning Resources

Best-in-Class Training

Maldev Academy: https://maldevacademy.com/

Zero-Point Red Team Ops II: https://training.zeropointsecurity.co.uk/courses/red-team-ops-ii

Sektor7 Institute Courses: https://institute.sektor7.net/

Free Resources

AV/EDR Evasion Overview: https://youtu.be/CKfjLnEMfvI

PDF Presentation: https://conference.hitb.org/hitbsecconf2022sin/materials/D1T1%20-%20EDR%20Evasion%20Primer%20for%20Red%20Teamers%20-%20Karsten%20Nohl%20&%20Jorge%20Gimenez.pdf

Evading Static and Dynamic Analysis: https://www.youtube.com/watch?v=E6LOQQiNjj0

Hands-On Lab: https://jfmaes-1.gitbook.io/reflection-workshop/

Evading Behavioural Analysis: https://youtu.be/LXfhyTpQ7TM

Putting it All Together - Custom Shellcode Injector: https://youtu.be/Mtox3EHeYk4

"Map" of Techniques: https://github.com/matro7sh/BypassAV

Windows Fundamentals

Software Architecture

Hardware Components: CPU (CU, registers, ALU), memory, disk

Binary 11010001010010101100

Assembly push ebp mov ebp,esp

Intermediate Bytecode

Compiled (unmanaged) Languages: C, C++, Go, Rust

JIT-Compiled Languages: C#, Java, Python (pypy)

Interpreted/Hybrid Languages: Python (cpython), Ruby, JavaScript

Portable Executable (PE)

Data Directories

• Import Address Table
• Export Address Table
• ...

Sections

• .text → executable instructions
• .data → initialized data
• .rdata → read-only initialized data
• .bss → uninitialized data
• .idata → import tables
• .edata → export tables
• .reloc → loading file into memory
• .rsrc → resources (images, icons, custom code, etc)

PE File Types

• Executable (EXE) ⇒ program that gets run
• Service Executable ⇒ responds to service controls
• Dynamically-Linked Library (DLL) ⇒ code that can be imported and used by an executable or another library

Function Call Flow (Windows API)

Kernel

User

ntdll.dll

NtCreateThreadEx

syscall

kernel32.dll

CreateRemoteThread

program.exe

ntoskrnl.exe

User DLL

NTDLL

Malware Development

Injection

Two options:

• Shellcode → Run malicious shellcode directly
• DLL → Load a DLL with malicious code

Generate malicious shellcode or DLL with C2

Malware should

• Create memory region: VirtualAlloc | VirtualAllocEx
• Copy code to memory region: memcpy | WriteProcessMemory
• Make memory region executable: VirtualProtect | VirtualProtectEx
• Run code: CreateThread | CreateRemoteThread
• Common Techniques Overview: https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
• Sample Code: https://www.ired.team/offensive-security/code-injection-process-injection

Types of Detections

Antivirus (AV)

• Static Analysis ⇒ looks at the PE file
• Dynamic Analysis ⇒ runs file in a sandbox (safe) environment

Endpoint Detection and Response (EDR)

the above and

• Behavioural Analysis ⇒ monitors processes as they run

Static Analysis

Known Malicious “Signature”

• edit content in place

or

• edit code and recompile
• Disassemble code snippet
• Locate code
• Rewrite code

obfuscation

• add useless code
• divide code into functions
• expand code lines or strings

encryption

staging ⇒ download malicious code

Finding Malicious Signatures

• Divide malicious file
• Check if first half gets detected
• If yes, signature is in first half
• If no, check if second half gets detected
• If yes, signature is in second half
• If no, you may need to divide the file differently
• Keep half containing signature
• Repeat

Windows Defender

• https://github.com/matterpreter/DefenderCheck
• https://github.com/rasta-mouse/ThreatCheck

Static Analysis

Import Address Table

flag known bad API call combos: VirtualAlloc, VirtualProtect, CreateThread

Static Analysis

Import Address Table

flag known bad API call combos: VirtualAlloc, VirtualProtect, CreateThread

load imports at runtime ⇒ GetProcAddress and LoadLibrary/GetModuleHandle

​

​

Problems and Solutions

Problem 1: CreateThread text still exists in PE file�Solution: declare it differently

​

Problem 2: GetProcAddress and GetModuleHandle might be flagged�Solution: create your own implementation

Problem 3: CreateThread text still exists in process memory�Solution:�Two alternatives

• use ordinals instead of function names ⇒ position of function in export address table of kernel32.dll
• API hashing ⇒ 1. hash each export in export address table of kernel32.dll then 2. check if hash matches hash of “CreateThread”

Dynamic Analysis

Runs code in a sandbox (contained environment)

• Detect the sandbox and exit
• Check computer resources (CPU core count, RAM)
• Check existing users or Active Directory domain
• Check computer name
• Check time difference after sleeping
• Do something complex

not emulated by sandbox

• Sleep for a long time
• Allocate memory too large for sandbox to handle
• Check contents of a webpage
• Serve code over a mailslot or named pipe

Command & Control (C2) Beacon

assume somebody is monitoring network traffic

Goals

• disguise malicious traffic as legitimate
• make traffic as infrequent as possible

How To

• pick a legitimate outbound protocol on target (HTTPS, DNS)
• outbound guarantees it won’t be blocked by firewall
• wrap all traffic in that protocol
• pick a legitimate request and make it look like that
• sleep (do nothing) for a while between requests
• longer sleep = less likely to get detected BUT less interactive

Behavioural Analysis

*in-memory tradecraft* → touch disk as little as possible

• avoids static and dynamic analysis

Local Process Injection Advantages

• remote injection requires getting a handle to another process
• many remote injection techniques require creating a new process

(e.g. needs to be in suspended state)

• can perform a wide variety of actions

Remote Process Injection Advantages

• remote process is already trusted and performs similar tasks normally
• important to choose the right process
• once running, malware is much harder to spot

Memory Indicators of Maliciousness

executable memory regions for msedge.exe

​

​

​

• there are no RWX memory regions ⇒ RWX memory = malicious
• executable memory is backed by a DLL ⇒ no DLL = malicious

write code to RW memory → change permissions to RX → run code� VirtualProtect | VirtualProtectEx

module overloading/stomping: load DLL → overwrite DLL with code

Call Stack Indicators of Maliciousness

sample thread call stack for msedge.exe

​

​

​

• call stack is predictable ⇒ doesn’t follow calls = malicious
• each address is backed by a DLL ⇒ no DLL = malicious

call stack spoofing ⇒ fake thread call stack when sleeping�create backup of thread stack → overwrite thread stack → sleep → restore thread stack

• spoof stack of a sleeping thread (WaitForSingleObject)

https://www.cobaltstrike.com/blog/behind-the-mask-spoofing-call-stacks-dynamically-with-timers

API Hooks (User DLL)

Kernel

User

ntdll.dll

NtCreateThreadEx

syscall

kernel32.dll

CreateRemoteThread

program.exe

ntoskrnl.exe

User DLL

NTDLL

EDR

log CreateRemoteThread

take action (optional)

Circumventing API Hooks (User DLL)

Use NTDLL functions instead!

Circumventing API Hooks (User DLL)

Kernel

User

ntdll.dll

NtCreateThreadEx

syscall

kernel32.dll

CreateRemoteThread

program.exe

ntoskrnl.exe

User DLL

NTDLL

EDR

log CreateRemoteThread

take action (optional)

API Hooks (NTDLL)

Kernel

User

ntdll.dll

NtCreateThreadEx

syscall

kernel32.dll

CreateRemoteThread

program.exe

ntoskrnl.exe

User DLL

NTDLL

EDR

log NtCreateThreadEx

take action (optional)

Circumventing API Hooks (NTDLL)

A few options

• overwrite API hooks ⇒ remap a clean copy of NTDLL from disk
• Problem: EDR can check if hooks are present
• manual mapping ⇒ map a separate clean copy of NTDLL from disk
• direct syscalls ⇒ use syscall instruction to go straight to kernel
• Problem: normal programs don’t contain syscall instruction → flagged by EDR
• indirect syscalls ⇒ jump directly to syscall instruction in NTDLL

Manual Mapping

• https://github.com/TheWover/DInvoke
• https://github.com/rasta-mouse/DInvoke

Syscalls

• https://github.com/klezVirus/SysWhispers3

Direct Syscall

Kernel

User

ntdll.dll

NtCreateThreadEx

syscall

kernel32.dll

CreateRemoteThread

program.exe

syscall

ntoskrnl.exe

User DLL

NTDLL

EDR

log NtCreateThreadEx

take action (optional)

Indirect Syscall

Kernel

User

ntdll.dll

NtCreateThreadEx

syscall

kernel32.dll

CreateRemoteThread

program.exe

ntoskrnl.exe

User DLL

NTDLL

EDR

log NtCreateThreadEx

take action (optional)

Easy Win?

malicious DLLs are much less detected than EXEs

• can’t run a DLL in a sandbox (dynamic analysis)
• AppLocker DLL rules aren’t enforced
• DLLs are loaded by legitimate processes → no process injection, some behaviours get overlooked
• if a custom unsigned exe reaches out to the internet regularly, that’s strange
• if msedge.exe reaches out to the internet regularly, that’s normal

DLL Hijacking

• drop malicious DLL where it will be loaded by another program
• wait for program to run

Advantage: no clear attack chain → initial DLL drop and malicious actions are separate

DLL Hijacking

Techniques: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dll-hijacking#common-techniques

Hijackable DLLs: https://hijacklibs.net

Initial Access

Entry Points

Attacking Machines

• poor infrastructure development (architects/developers)
• misconfigurations (administrators)
• abusing intended features

Attacking People: Social Engineering

• cloned login page
• shortcut file (PowerShell, VBScript, or MSHTA)
• Microsoft Word VBA Macro
• Microsoft Word Remote Template → VBA Macro
• executable (hide extension with .pif or Right To Left Override)

Restricting Runnable Files

AppLocker ⇒ helps prevent users from running unapproved software

• hash value
• original filename
• file path location
• publisher (signed by a particular CA)

vs

Windows Defender Application Control (WDAC) ⇒ official security feature�versions > Windows 10 and Windows Server 2016 only

• anything AppLocker can do
• process that installed the app
• process running the app/binary
• app reputation based on Intelligent Security Graph

https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview

Circumventing AppLocker/WDAC

Options:

• reverse rules to find exception
• Living Off The Land Binaries (LOLBAS)
• check for code signing template

reversing WDAC rules: CIPolicyParser

• obtain from GPO or locally (C:\Windows\System32\CodeIntegrity\CIPolicy.p7b)

LOLBAS

• https://lolbas-project.github.io
• https://github.com/bohops/UltimateWDACBypassList

Microsoft recommended blocklist: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac

PowerShell Constrained Language Mode (CLM)

“a language mode of PowerShell designed to support day-to-day administrative tasks, yet restrict access to sensitive language elements that can be used to invoke arbitrary Windows APIs”

Enforcing PowerShell CLM

• __PSLockdownPolicy environment variable (not recommended)
• through AppLocker or WDAC
• “Any PowerShell script that isn't allowed by WDAC policy still runs, but only in Constrained Language Mode”

Bypasses

• remove environment variable (must be admin)
• include System32 in path
• downgrade to PowerShell 2.0
• run in unmanaged runspace

Attack Surface Reduction (ASR)

rules that restrict certain actions

• rules can be read by any user
• exclusions can only be read by local admin

Types of Exclusions

• default exclusions by Microsoft
• custom exclusions → usually defined in GPO

Sample Rules

• Block all Office applications from creating child processes
• Block Win32 API calls from Office macros
• Block Office applications from injecting code into other processes
• Block process creations originating from PSExec and WMI commands
• Block credential stealing from the Windows local security authority subsystem

Determining Enabled Rules

obtain from GPO or locally in registry

• check if ASR enabled: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\ExploitGuard_ASR_Rules
• ASR rules: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules

rule to GUID matrix: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#asr-rule-to-guid-matrix

​

Circumventing ASR

Options:

• reverse exclusions and leverage exclusion
• find another way to accomplish the same thing

Example Block all Office applications from creating child processes

• Option 1: run child process from excluded path (GetPathExclusions)
• Option 2: create scheduled task that starts in 1 second

Ideas: https://blog.sevagas.com/IMG/pdf/bypass_windows_defender_attack_surface_reduction.pdf

Win32 API calls in MS Office: https://github.com/med0x2e/GadgetToJScript

• generates “.NET serialized gadgets that can trigger .NET assembly load/execution when deserialized using BinaryFormatter from JS/VBS/VBA scripts”

To Be Added (post-exploitation)

• PPID and Argument Spoofing
• Antimalware Scan Interface (AMSI) and bypasses
• Event Tracing for Windows (ETW) and bypasses
• Protected Processes and dumping LSASS
• userland bypasses (change over time)
• kernel driver bypass
• Driver Signature Enforcement
• Living Off The Land Drivers:�https://www.loldrivers.io
• Kernel Callbacks
• zeroing a callback�(requires local admin)
• BOF vs Fork-and-Run

This Presentation

https://docs.google.com/presentation/d/1FATzBCzp1nPhXFKdcj9M96Pl1fUjoxNGep6sQr6c-As/

John’s LinkedIn

https://www.linkedin.com/in/johnfordsecurity/

Cobalt Strike Resources

https://github.com/RedefiningReality/Cobalt-Strike