{"id":8488,"date":"2023-05-04T23:23:19","date_gmt":"2023-05-04T23:23:19","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=8488"},"modified":"2023-05-04T23:23:19","modified_gmt":"2023-05-04T23:23:19","slug":"threat-hunting-architecture-issues","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2023\/05\/04\/threat-hunting-architecture-issues\/","title":{"rendered":"Threat Hunting \u2013 architecture issues&#8230;"},"content":{"rendered":"\n<p>In my <a href=\"https:\/\/www.hexacorn.com\/blog\/2023\/03\/10\/threat-hunting-localization-issues\/\" data-type=\"post\" data-id=\"8439\">recent post<\/a> I focused on localization issues, but there is (always!) more&#8230;<\/p>\n\n\n\n<p>Take a look at the <a href=\"https:\/\/www.microsoft.com\/en-us\/software-download\/windowsinsiderpreviewARM64\">Windows 11 ARM<\/a> version &#8211; when you install it you will immediately notice that it includes many unusual folders that your threat hunting rules (we are so used to rely on Intel-centric paths!) simply&#8230; &#8220;don&#8217;t see&#8221; f.ex.:<\/p>\n\n\n\n<ul><li>\\Windows\\SyChpe32\\<\/li><li>\\Windows\\SysArm32\\<\/li><li>\\Program Files (Arm)\\<\/li><\/ul>\n\n\n\n<p>Luckily, there is already a body of knowledge out there that <a href=\"https:\/\/oofhours.com\/2021\/02\/19\/running-x64-on-windows-10-arm64-how-the-heck-does-that-work\/\">describes<\/a> some of these folders in detail&#8230;<\/p>\n\n\n\n<p>Yup. After a few decades of Intel&#8217;s dominance we are moving towards the ARM world and there is no excuse &#8212; we need to start looking at the &#8216;new&#8217; that these changes bring&#8230; To be frank.. I am as late to this party as anyone else&#8230; I always looked at ARM stuff with a bit of &#8220;huh, interesting, but not gonna stick&#8221; and kinda learned some bits about it here, there, and kinda in-between&#8230; Meaning: yes, I can read and interpret most the ARM assembly code, and I also like the decompiled ARM code, but I am definitely far behind when it comes to understanding the hardware, tricks, especially if compared to Intel, so gonna work hard to conquer it over next few months&#8230; So, yup, today I embrace ARM and actually plan to spend a lot of time reading about it, because I fear that If I don&#8217;t, I will become a liability soon&#8230;<\/p>\n\n\n\n<p>Coming back to the threat hunting angle&#8230; how many different system32 directories do we have out there today?<\/p>\n\n\n\n<ul><li>System32<\/li><li>SysWOW64<\/li><li>SysArm32<\/li><li>SysX8664<\/li><li>SysArm64<\/li><li>SyChpe64<br>+<\/li><li>sysnative<\/li><\/ul>\n\n\n\n<p>Is that all? There are probably some variations around the main OS Windows folder (that is: C:\\windows, c:\\windows.000, c:\\winnt, etc.), but hopefully we are in a good shape for the next few years&#8230;<\/p>\n\n\n\n<p>Again, there are some cool blog <a href=\"https:\/\/wbenny.github.io\/2018\/11\/04\/wow64-internals.html\">posts<\/a> about some of these changes out <a href=\"https:\/\/blogs.blackberry.com\/en\/2019\/09\/teardown-windows-10-on-arm-x86-emulation\">there<\/a>&#8230;<\/p>\n\n\n\n<p>And just because we know these folder names we should not be fooled easily&#8230; We are looking at a completely different OS, different architecture it deals with, different software needs, and I bet &#8212; many undiscovered bugs, quirks, features, and gotchas&#8230;<\/p>\n\n\n\n<p>There must be new phantom DLL and persistence mechanisms waiting to be discovered for sure, too<\/p>\n\n\n\n<p>It&#8217;s actually quite exciting&#8230; <\/p>\n\n\n\n<p>It&#8217;s the area I hope to explore more over next months&#8230; stay tuned.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In my recent post I focused on localization issues, but there is (always!) more&#8230; Take a look at the Windows 11 ARM version &#8211; when you install it you will immediately notice that it includes many unusual folders that your &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2023\/05\/04\/threat-hunting-architecture-issues\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[108,79],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8488"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=8488"}],"version-history":[{"count":1,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8488\/revisions"}],"predecessor-version":[{"id":8489,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8488\/revisions\/8489"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=8488"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=8488"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=8488"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}