A few ideas to mess around with threat hunting, and EDR software (anti-threat hunting/anti-edr)

Posted on by

I just came back from holidays and since time off it’s usually a great time to make your brain run idle, it often turns it into a bit more creative device than usual. As a result I came up with a number of ideas that I will post about in the coming days. I’ll kick it off by discussing the anti-threat hunting/anti-edr techniques.

I do threat hunting for living, so it’s not just a post to play a devil’s advocate, but an invitation to discuss ways of detecting techniques I am going to present below (and potentially others).

To stay focused, I’ll mainly talk about the process creation events that can be typically analyzed inside Splunk (or other log aggregator) that is collecting Windows Event logs (f.ex. Security events with the Event ID 4688) and data from a typical EDR software (this includes sysmon). The discussion can be extended to other events quite easily.

Okay, so let’s assume that we have a nice collection of events showing us all the process names (and possibly command line options) from the systems and we already created rules for detecting some anomalies + we regularly review the alerts and new event logs to see if there is any new anomaly that we can potentially spot by just eyeballing data and codify into a new alert/watchlist. A clever attacker could attempt to modify our logs in a way that could affect these automated detections & analysis by attempting to hide the execution of some processes, or if lucky (I have not tested it), perhaps even hide some of the logs from the analyst.

Here’s how it could work:

  • Many watchlists focus on process names; changing a process name turns the watchlist useless (f.ex. macro could copy ‘powershell.exe’ to ‘harmless.exe’ before executing the powershell snippet, or ‘cscript.exe’ to ‘goodprogram.exe’); try it, it actually works and since the copy operation can be delivered via API, it may be hard to spot it by just looking at process logs; to detect it we would need to look at the flow of both process creation events and preceding it file system operations
  • Lots of analysis happen on Web UI level; if the EDR or Event Viewer doesn’t process the HTML entities correctly, there is a possibility of injecting tags modifying the flow of the generated HTML; I have not tested it, but it’s a possibility
  • Possibly a silly idea, but EDR has to store data somewhere and it probably uses some database; would a carefully crafted path or a file name cause an SQL command to fail? [similar to SQL injection; could we delete all records by doing SQL injection using a specially crafted event?]
  • There are potential bugs in EDR that can be exploited
  • Homomorphic object names f.ex. paths, and file names (using two identically looking Unicode characters with one non-English replacing opcodes for English characters) may make the analyst ‘blind’; if the attacker creates ‘c:\Windоws\system32\calc.exe’ and ‘o’ in ‘Windows’ is a Cyrillic ‘о’, the paths will look identical and casual eyeballing of the data will miss this entry classifying it as a legitimate ‘c:\Windows\system32\calc.exe’; this can be detected using data stacking, and by showing the non-standard English characters (especially these that can be used for homomorphic paths) using their Unicode code in an escaped form (or using a different color at least).
  • Delays are a trouble to sandboxes. The very same is true for EDR; if the events are generated slowly, it may be hard to correlate them + they will be interleaved by a large number of other, legitimate events; unfortunately, even basic event logs are quite noisy (load module, create open file/registry, etc. – lots of it comes from legitimate OS libraries; perhaps filtering of white-listed events is required)
  • Direct attack on EDR could prevent event interception; this is not bugs per se, but understanding how the software operates may help to bypass it:
    • If the EDR doesn’t work from kernel/hypervisor level, one could modify access rights to the malicious files so they can’t be accessed; same goes for directories, registry
    • If the EDR doesn’t protect its services, processes, registry keys, files from tampering, this could help to kill its functionality (same techniques as for AV)
    • Evasions could be built-in for specific EDR that bad guys don’t know how to bypass (EDR detection working the same way as sandbox / vm detection)
    • Finally, knowing the network protocol, one could potentially install a filter (or simply patch the code in memory) that would disable the event reporting that is related to malicious activity (EDR events going via malicious proxy!)
  • Using new hacking tricks may help to bypass EDR as well (good to follow the trends in pentesting world)
  • If the system is a web server, it may be hard to spot activities on the system if delivered via a web shell that talks directly to API
  • Also, lots can be done from ntdll alone and it’s resident in every process; and while using NT call, or even syscalls directly is trickier, it could bypass some of the user-mode EDR engines as well; in other words – spawning new processes is a lazy way malware does it today, but it may change in the future
  • and so on, and so forth…

The Archaeologologogology #2 – the romantic view as seen through the winlogon.exe’s window…

Posted on by

Every once in a while people report that they suspect their systems to be infected. This is because they discover their winlogon.exe uses a very unusual, and definitely suspicious icon – the one with a the Moon, and the stars:

winlogonYou won’t see this on Windows 8 or 10 anymore, but if you look at the resources of winlogon.exe you can still find the icon there:

winlogon10Looking for the code referring to ID 14 inside the Windows 10 winlogon.exe doesn’t show any immediate results. We can try to do the same with winlogon.exe from Windows 7 – one of the OSs on which the icon is still visible directly in the Windows Explorer pane. I couldn’t find the code either, but I noted that this time the icon was listed under a different ID (notably, Windows XP lists it under the very same ID):

winlogon7First, let’s try to explain why the icon is no longer visible inside the Windows Explorer on Windows 10&8.

When Explorer chooses the icon to show for a given executable it enumerates the resources inside the file and searches for the first one that is defined as RT_GROUP_ICON (which is a bit like a set of icons – the good ol’ Resource Hacker shows it under the “Icon Group” branch). As a side note, the most typical way RT_GROUP_ICON lists are defined makes the very first icon we see on the list of icons inside Resource Hacker the one that is used by Windows Explorer.

Let’s have a look at the winlogon.exe icon groups from Windows 7.

winlogon10-iconsThe first one is ‘IDD_APPLICAITON_ICO’.

(As a side note, you have probably noticed the typo i.e. ‘applicaiton’ vs. ‘application’ in the ‘IDD_APPLICAITON_ICO’ ID name. It is actually quite an important mistake and I will explain why later on)

On Windows 7 it is slightly different:

winlogon7_iconsRight, so it’s ‘IDD_SHUTDOWN_BITMAP’, and the only icon in this set is… the Moon&the stars.

Going a bit further back, the Windows XP doesn’t use the name, but the number 4:

winlogonxpSo, we see the icon on Windows XP and 7, because it’s the very first RT_GROUP_ICON listed.

One mystery solved.

Let’s come back to the resource names we came across inside winlogon.exe from Windows 10. The name of the ‘IDD_SHUTDOWN_BITMAP’ may look familiar – if you take another look at that window (see below) you will notice that the developers inserted ‘IDD_APPLICAITON_ICO’ right above the ‘IDD_SHUTDOWN_BITMAP’ group – we can also confirm the latter is the very same icon group as in Windows 7 and on Windows XP:

winlogon10-icons2So, it’s obviously a cosmetic change intended to replace the romantic icon with a boring default application image in the newer versions of Windows.

If we take yet another look at the Icon Groups above, there is one more detail that is quite striking. There are 2 groups that use names (prefix ‘IDD_’) and 2 that use numbers.

Was it intentional?

I don’t think so.

The way Resource compiler works is that when the resource files (files with the extension .rc /which I believe are still used to build the ‘old’ executables even on Windows 10/) are compiled, the parser is looking for definitions of resource IDs which other resources may later refer to. Typical way to use the ID names is by using the approach shown below.

Inside the header file (resource.h) you write something along these lines:

#define IDD_SHUTDOWN_BITMAP 4

and later, you can refer to this resource by using the defined name (inside the .rc file):

IDD_SHUTDOWN_BITMAP ICON "moonstars.ico"

The funny side-effect (a bug/feature?) of the resource compiler is that it does not complain when it comes across a resource name that has not been defined earlier. In such cases it will blindly assume that it is… a string (a text). The root cause for this is that resource ID can be both numbers, and strings, so the arbitrary decision by the Resource Compiler to treat all unknown resource names as strings creates situations we see demonstrated on the above screenshots. Note that I intentionally chose to define IDD_SHUTDOWN_BITMAP as 4 (#define IDD_SHUTDOWN_BITMAP 4) to bring your attention to the difference between Windows XP (Icon group is number 4) and Windows 7 (icon group is a textual name ‘IDD_SHUTDOWN_BITMAP’).

The winlogon developer most likely modified the source code and removed a number of things between XP, Vista and 7, but failed to remove:

  • the icon itself
  • the group icon resource
  • and even if these 2 were meant to stay, the dev most likely removed the ‘IDD_SHUTDOWN_BITMAP’ declaration from the header file – this made the resource compiler incorporate the actual constant name into the compiled resource!

And this is where I can come back to the typo I mentioned earlier & why is it important. What I believe happened is that the dev declared:

#define IDD_APPLICATION_ICO <some number>

inside the header file, but then inside the .rc file referred to the name making a typo :

IDD_APPLICAITON_ICO ICON "moonstars.ico"

Resource Compiler couldn’t find the declaration of IDD_APPLICAITON_ICO and decided to treat it as a string.

So, it’s an unintentional data leakage in both cases as we learn about constants used in the source code 🙂

Finally, it’s time to reveal what was the purpose of the romantic icon…

Luckily, this is actually quite simple: by checking what other stuff can be found inside resources of winlogon.exe from XP, we can discover this dialog box definition:

winlogonxp_dialogand which Resource Hacker allows us to preview as:

winlogonxp_dialog2This is a dialog box that would pop up on ancient versions of Windows NT (before APM became a standard?) – luckily someone made a youtube video how it looks like so you can confirm it yourself.

The code referring to it is still partially present inside the winlogon.exe from Windows XP, but the dialog template is not really used after being loaded.

The described typos, partially removed code, and the ancient artifacts still present in Windows 10 should be a good excuse for anyone interested in reversing and forensics to explore the system internals more – fundamentally, reversing is reading other peoples’ code and bugs are a norm & knowing how tools that build programs work allow us to better understand the root cause of some of these mistakes.