Have I been…
1. …Pwned?
This blogpost will be very short for a change. I spent most of this week converting the application to disable Driver Signature Enforcement (DSE) into a Beacon Object File (BOF) and adding in some extras like string obfuscation to hide very common string patterns like registry keys and constants from network inspection. I also changed some of the parameters to work with user input via CobaltWhispers instead of hardcoded values and replaced some notorious WIN32 API functions with their Windows Native API counterparts.
Once this was done, I spent the remainder of the week debugging the BOF and testing the full attack chain starting with the EarlyBird injector being executed as Administrator, disabling DSE using the BOF, deploying the Interceptor driver to cripple EDR/AV and finally running Mimikatz via Beacon. The full attack is demonstrated below:
While I’m awaiting access to a test environment with different EDR solutions to further test and optimize the kernel driver and injector, I’m studying up on Event Tracing for Windows (ETW) which will be my next target.
2. Event Tracing for Windows (ETW)
Event Tracing for Windows (ETW) is a kernel-level tracing facility which logs kernel or application-defined events to a log file. These events can be consumed from the log file or in real time. While ETW isn’t necessarily able to stop malware from being deployed, it gives defenders a lot of visibility into what’s happening on a system. A common defensive setup might use tools like Sysmon, which uses ETW under the hood, paired with Splunk as an alternative to expensive EDR/AV solutions. Sysmon is comprised of a Windows system service and a device driver which logs events to the Windows Event Log.
When deploying malware, it is important to evade any detections that stop the malware from being executed. Naturally, having tools monitor our deployment of malware without blocking it but allow defenders to see what exactly is going on and eventually leading to sample analysis by threat/malware analysts, is not something we want. There are several attack vectors to consider when addressing this issue:
- Patching ETW functions in user space
- patching ETW functions in kernel space
- Unloading or tampering with the Sysmon driver
- Tampering with log files
- Tampering with ETW sessions
Most of these techniques have clear indicators of compromise and generate logs and events during the process of disabling ETW/Sysmon. It may potentially be interesting to combine several of the above attack vectors and only blind for a limited amount of time while our malicious activity occurs, or possibly generate a large number of false positives to overwhelm the defensive team.