You are browsing the archive for Random ideas.

Commander Minority Report

November 21, 2020 in Random ideas

This is an idea I have not tested in practice, but it emerged in response to a simple question:

  • What if sysmon, 4688, EDR command line logging couldn’t catch a thing?

I am not the first one to ask this question and @_xpn_ has a great post about an argument spoofing trick one can use to fool command line interceptors: create a suspended process, then inject a proper command line argument after the process creation event has been intercepted, then resume the process with the new command line injected.

So… that made me think about what command line really is.

And command line is basically a string that is being parsed to set up a internal state for the program that parses it. And with that we can ask another question: is there a way to manipulate the process state and assign appropriate values to internal engine of the targeted tool and make it run as if a command line argument was provided, but without providing that command line? Of course, to do so one needs to know intricacies of the process that is being manipulated but it’s relatively straightforward for targets like powershell (source code available), or even v|cbscript / cmd.

Perhaps there is a scope for a completely new type of offensive engine that takes instrumentation to a completely new level…

MUI Poisoning in practice

August 22, 2020 in Anti-Forensics, Living off the land, Malware Analysis, Random ideas

In my old post I discussed the idea of MUI poisoning. Today I want to show a practical example of this technique – one that has an interesting impact on incident response efforts.

Some security solutions rely on running local, native OS binaries to collect information from the system. Tool like netstat, ipconfig, etc. are executed on regular basis and data is collected and aggregated in some log repository.

These local tools often rely on MUI files and this is where we step in. By modifying the MUI files of selected tools one could force these tools to return complete garbage. For instance, the following example shows netstat.exe where its MUI was modified to always return a source IP where the destination IP would be listed. The change can be made using the old tool Resource Hacker:

Once we replace the MUI file, netstat.exe will return stuff like this:

This anti-forensic technique could be potentially expanded to cover every single piece of software that relies on external language files (let it be MUI, or anything else). As long as these format string patterns can be manipulated security software could be forced to present garbage output; for instance – malware alerts reporting wrong paths (e.g. hardcoded, non existing paths), or Windows Event logs reporting misleading information.