You are browsing the archive for EDR.

Running programs via Proxy & jumping on a EDR-bypass trampoline, Part 2

October 4, 2017 in Anti-*, EDR, Incident Response

Update

After my post Zod contacted me with this mike-dropping link: Ultimate AppLocker ByPass List. Really lots of good stuff there! Thx Zod!

Old Post

In the first part I listed a couple of examples of programs that may be used as a proxy to launch other programs. In the meantime, subTee kicked off a very interesting thread on Twitter listing a number of signed .exe binaries that can be used as a proxy to load a DLL. Yesterday I came across a few cool posts by @0rbz_. This in return reminded me of my first post and I decided to add a few more proxy/living off the land ideas.

There is a number of signed .exe that can be used to load other .exes or .dlls and as a result – break standard EDR detection rules, or bypass some whitelisting. This may sometimes involve copying the signed binary to your folder in order to sideload your DLL (PlugX is a very good example, funnily enough – in many cases they don’t even need to bring a signed .exe and fetch one that is typically present on the system).

Here is the list:

  • AppVLP.exe – to launch .exe
    • From this Tweet by @0rbz_
    • Just run C:\Program Files\Microsoft Office\root\client\AppVLP.exe <exename>
  • pcalua.exe
    • From this Tweet by @0rbz_ and mentioned on this forum
    • Just run C:\windows\system32\pcalua.exe -a <exename>
  • odbcconf.exe – to load .dll
    • From this Tweet by¬† subTee
    • odbcconf.exe /f my.rsp
  • odbcad32.exe – to load .dll via GUI
    • drop c:\windows\system32\<dllfile>
    • run odbcad32.exe
    • go to Tracing Tab
    • choose Custom Trace DLL
    • hit Start Tracing Now
  • WinMail.exe – to load .dll
    • copy c:\Program Files\Windows Mail\WinMail.exe to your folder
    • name your DLL ‘msoe.dll’
    • launch one of these
      • WinMail.exe /identcatalog
      • WinMail.exe /identfileslist:foo
      • WinMail.exe /identfile:foo
  • xwizard.exe – to load .dll
    • From my previous post
    • copy c:\WINDOWS\system32\xwizard.exe to your folder
    • name your DLL ‘xwizards.dll’
    • run xwizard.exe with at least two arguments
  • java.exe – to load .dll
    • From my previous post
    • run java -agentlib:<dllname>
      or
    • run java -agentpath:<dllname_with_dll_extension>
  • any other phantom / sideloaded dlls – to load .dll

If you know of any other tricks like this, please let me know. Thanks!

p.s. as I was about to post it, Huntress Labs just published yet another cool technique using WseClientSvc.exe passthru.exe calc.exe!

Sysmon doing lines

October 2, 2017 in Anti-Forensics, EDR, Forensic Analysis, Incident Response, Malware Analysis

This is just an experiment I ran today to see if I could fool sysmon (or more specifically: any program that parses sysmon logs, or users viewing the sysmon logs in the Event Viewer) into doing an extra line, or two… .

What if…

…the command line of the spawn process (calculator in this case) looked like a part of the Event Log itself? Something along these lines :

calc

 CurrentDirectory: C:\non-existing\
 User: test-pc\user
 LogonGuid: {15a1393e-e37e-58de-0000-0020e0940300}
 LogonId: 0x394E0
 TerminalSessionId: 1
 IntegrityLevel: High
 Hashes: SHA1=2E391131F9B77A8EC0E0172113692F9E2CCCEAF0
 ParentProcessGuid: {15a1393e-97f2-59d2-0000-0010a4d8a500}
 ParentProcessId: 666
 ParentImage: C:\windows\system32\calc.exe

Obviously, you can’t run it from a command line, you need a program to run it for you using the CreateProcess API.

The result would be like this:

So… when the data is previewed, the user can (at least for a moment) believe the calc.exe was indeed spawn by the process ID 666 and parent process is calc.exe (which on its own is kinda difficult), and the current directory is c:\non-existing.

Programs exporting logs into CSV/TXT could get potentially fooled too as the injected data lines up with expected logs and a possible state machine parsing them could be fooled; one could potentially inject a number of such fake logs and potentially disturb the log parsing process and create some funny, non-existing process-tree scenario.