Threat Hunting – architecture issues…

May 4, 2023 in ARM, threat hunting

In my recent post I focused on localization issues, but there is (always!) more…

Take a look at the Windows 11 ARM version – when you install it you will immediately notice that it includes many unusual folders that your threat hunting rules (we are so used to rely on Intel-centric paths!) simply… “don’t see” f.ex.:

  • \Windows\SyChpe32\
  • \Windows\SysArm32\
  • \Program Files (Arm)\

Luckily, there is already a body of knowledge out there that describes some of these folders in detail…

Yup. After a few decades of Intel’s dominance we are moving towards the ARM world and there is no excuse — we need to start looking at the ‘new’ that these changes bring… To be frank.. I am as late to this party as anyone else… I always looked at ARM stuff with a bit of “huh, interesting, but not gonna stick” and kinda learned some bits about it here, there, and kinda in-between… Meaning: yes, I can read and interpret most the ARM assembly code, and I also like the decompiled ARM code, but I am definitely far behind when it comes to understanding the hardware, tricks, especially if compared to Intel, so gonna work hard to conquer it over next few months… So, yup, today I embrace ARM and actually plan to spend a lot of time reading about it, because I fear that If I don’t, I will become a liability soon…

Coming back to the threat hunting angle… how many different system32 directories do we have out there today?

  • System32
  • SysWOW64
  • SysArm32
  • SysX8664
  • SysArm64
  • SyChpe64
  • sysnative

Is that all? There are probably some variations around the main OS Windows folder (that is: C:\windows, c:\windows.000, c:\winnt, etc.), but hopefully we are in a good shape for the next few years…

Again, there are some cool blog posts about some of these changes out there

And just because we know these folder names we should not be fooled easily… We are looking at a completely different OS, different architecture it deals with, different software needs, and I bet — many undiscovered bugs, quirks, features, and gotchas…

There must be new phantom DLL and persistence mechanisms waiting to be discovered for sure, too

It’s actually quite exciting…

It’s the area I hope to explore more over next months… stay tuned.

Comments are closed.