In In NTDLL I I Trust Process Reimaging and Endpoint Security - - PowerPoint PPT Presentation

in in ntdll i i trust process reimaging and endpoint
SMART_READER_LITE
LIVE PREVIEW

In In NTDLL I I Trust Process Reimaging and Endpoint Security - - PowerPoint PPT Presentation

Feb 01, 2024 220 likes •851 views

In In NTDLL I I Trust Process Reimaging and Endpoint Security Solution Bypass Eoin Carroll Senior Security Researcher Hack in Paris 2019 McAfee ATR Attribution sacr bleu Eoin Carroll Steve Povolny Steve Hearnden Cedric Cochin About

slide-1
SLIDE 1

In In NTDLL I I Trust Process Reimaging and Endpoint Security Solution Bypass

Hack in Paris 2019 Eoin Carroll Senior Security Researcher McAfee ATR

slide-2
SLIDE 2

Attribution

Eoin Carroll Steve Hearnden Cedric Cochin Steve Povolny sacré bleu

slide-3
SLIDE 3

About me

Semi-Conductor Electronic Engineer Medical Device Electronic Engineer SW Security Engineer Appsec Pentester Security Researcher Security Team Lead Security Mgr Security Architect 2000 2007 2011 2018 @w3knight

slide-4
SLIDE 4

The next 40 minutes…

  • Process Reimaging Overview
  • AV scanners and Process Reimaging
  • Mitre ATT&CK and Defensive Evasion
  • Process Reimaging Prerequisite and Attack Vectors
  • Process Reimaging Weaponization
  • Windows Kernel APIs + Process Reimaging Deep Dive
  • Windows Defender bypass demo
  • Impact and Protection Recommendations
slide-5
SLIDE 5

Process Reimaging Overview

  • Process Reputation and Trust verification bypass
  • Impacts non-EDR Endpoint Security Solutions using NTDLL APIs such

as K32GetProcessImageFilename

  • Equivalent in impact to Process Hollowing or Process Doppelganging

within the Mitre Attack Defense Evasion Category

  • Malicious Process can dwell on Endpoint until reboot or full scan post

signature update

slide-6
SLIDE 6

Antivirus Scanner Detection Points

  • 1. FileCreate
  • 2. Section Create
  • 3. Cleanup
  • 4. ImageLoad
  • 5. CloseFile
  • Signature == detects @ 1,2,4
slide-7
SLIDE 7

Antivirus Scanner Detection Points

  • 1. FileCreate
  • 2. Section Create
  • 3. Cleanup
  • 4. ImageLoad
  • 5. CloseFile
  • Signature == detects @ 1,2,4
  • No Signature == depends on OS for

running process attribute verification @ 4

slide-8
SLIDE 8

Antivirus Scanner Detection Points

  • 1. FileCreate
  • 2. Section Create
  • 3. Cleanup
  • 4. ImageLoad
  • 5. CloseFile
  • Signature == detects @ 1,2,4
  • No Signature == depends on OS for

running process attribute verification @ 4

Process Reimaging Definition

“Windows Kernel APIs return stale and inconsistent FILE_OBJECT paths which enable an adversary to bypass Windows Operating System Process attribute verification”

slide-9
SLIDE 9

Mitre ATT&CK

slide-10
SLIDE 10

Mitre ATT&CK

slide-11
SLIDE 11

Subverting Trust

slide-12
SLIDE 12

Subverting Trust

Digital Signature Validation

slide-13
SLIDE 13

Subverting Trust

Digital Signature Validation Process Attribute Verification

slide-14
SLIDE 14

May 2018 – SynAck Ransomware

slide-15
SLIDE 15

SynAck – Process Hollowing

Initial Access Execution Defense Evasion Acting on Objectives

Drive-by-Compromise Phishing Obfuscated Trojan Dropper Dropper Location SynAck.exe msiexec.exe

msiexec.exe Endpoint Security Solution (ESS)

slide-16
SLIDE 16

SynAck – Process Hollowing

Initial Access Execution Defense Evasion Acting on Objectives

Drive-by-Compromise Phishing Obfuscated Trojan Dropper Dropper Location SynAck.exe msiexec.exe

msiexec.exe Endpoint Security Solution (ESS)

CreateProcess Create_Suspended

1. Process created with trusted binary

slide-17
SLIDE 17

SynAck – Process Hollowing

Initial Access Execution Defense Evasion Acting on Objectives

Drive-by-Compromise Phishing Obfuscated Trojan Dropper Dropper Location SynAck.exe msiexec.exe

msiexec.exe Malicious PE Endpoint Security Solution (ESS)

CreateProcess Create_Suspended NtUnmapViewOfSection VirtualAllocEx WriteProcessMemory ResumeThread

1. Process created with trusted binary 2. Process Hollowing with malicious code

slide-18
SLIDE 18

SynAck – Process Hollowing

Initial Access Execution Defense Evasion Acting on Objectives

Drive-by-Compromise Phishing Obfuscated Trojan Dropper Dropper Location SynAck.exe msiexec.exe

msiexec.exe Malicious PE Endpoint Security Solution (ESS) Protection failed to detect obfuscated dropper

CreateProcess Create_Suspended NtUnmapViewOfSection VirtualAllocEx WriteProcessMemory ResumeThread

1. Process created with trusted binary 2. Process Hollowing with malicious code

slide-19
SLIDE 19

SynAck – Process Hollowing

Initial Access Execution Defense Evasion Acting on Objectives

Drive-by-Compromise Phishing Obfuscated Trojan Dropper Dropper Location SynAck.exe msiexec.exe

msiexec.exe Malicious PE Endpoint Security Solution (ESS) Protection failed to detect obfuscated dropper Signatures updated

CreateProcess Create_Suspended NtUnmapViewOfSection VirtualAllocEx WriteProcessMemory ResumeThread

1. Process created with trusted binary 2. Process Hollowing with malicious code

slide-20
SLIDE 20

SynAck – Process Hollowing

Initial Access Execution Defense Evasion Acting on Objectives

Drive-by-Compromise Phishing Obfuscated Trojan Dropper Dropper Location SynAck.exe msiexec.exe

msiexec.exe Malicious PE Endpoint Security Solution (ESS) Protection failed to detect obfuscated dropper Signatures updated

CreateProcess Create_Suspended NtUnmapViewOfSection VirtualAllocEx WriteProcessMemory ResumeThread NTDLL API for Process Image Query

1. Process created with trusted binary 2. Process Hollowing with malicious code

slide-21
SLIDE 21

SynAck – Process Hollowing

Initial Access Execution Defense Evasion Acting on Objectives

Drive-by-Compromise Phishing Obfuscated Trojan Dropper Dropper Location SynAck.exe msiexec.exe

msiexec.exe Malicious PE Endpoint Security Solution (ESS) Protection failed to detect obfuscated dropper Signatures updated

CreateProcess Create_Suspended NtUnmapViewOfSection VirtualAllocEx WriteProcessMemory ResumeThread NTDLL API for Process Image Query

msiexec.exe

1. Process created with trusted binary 2. Process Hollowing with malicious code

slide-22
SLIDE 22

SynAck – Process Doppelganging

Initial Access Execution Defense Evasion Acting on Objectives

Drive-by-Compromise Phishing Obfuscated Trojan Dropper Dropper Location SynAck.exe msiexec.exe

msiexec.exe Endpoint Security Solution (ESS)

CreateTransaction CreateFileTransacted

1. Trusted Binary transacted as Malicious PE

slide-23
SLIDE 23

SynAck – Process Doppelganging

Initial Access Execution Defense Evasion Acting on Objectives

Drive-by-Compromise Phishing Obfuscated Trojan Dropper Dropper Location SynAck.exe msiexec.exe

msiexec.exe Malicious PE Endpoint Security Solution (ESS)

CreateTransaction CreateFileTransacted WriteFile CreateSection

1. Trusted Binary transacted as Malicious PE 2. Create Sections from transacted Malicious PE

slide-24
SLIDE 24

SynAck – Process Doppelganging

Initial Access Execution Defense Evasion Acting on Objectives

Drive-by-Compromise Phishing Obfuscated Trojan Dropper Dropper Location SynAck.exe msiexec.exe

msiexec.exe Malicious PE Endpoint Security Solution (ESS)

CreateTransaction CreateFileTransacted WriteFile CreateSection ResumeThread

1. Trusted Binary transacted as Malicious PE 2. Create Sections from transacted Malicious PE 3. Rollback transaction removes changes from Filesystem

RollBackTransaction NtCreateProcess

slide-25
SLIDE 25

SynAck – Process Doppelganging

Initial Access Execution Defense Evasion Acting on Objectives

Drive-by-Compromise Phishing Obfuscated Trojan Dropper Dropper Location SynAck.exe msiexec.exe

msiexec.exe Malicious PE Endpoint Security Solution (ESS) Protection failed to detect obfuscated dropper

CreateTransaction CreateFileTransacted WriteFile CreateSection ResumeThread

1. Trusted Binary transacted as Malicious PE 2. Create Sections from transacted Malicious PE 3. Rollback transaction removes changes from Filesystem

RollBackTransaction NtCreateProcess

slide-26
SLIDE 26

SynAck – Process Doppelganging

Initial Access Execution Defense Evasion Acting on Objectives

Drive-by-Compromise Phishing Obfuscated Trojan Dropper Dropper Location SynAck.exe msiexec.exe

msiexec.exe Malicious PE Endpoint Security Solution (ESS) Protection failed to detect obfuscated dropper Signatures updated

CreateTransaction CreateFileTransacted WriteFile CreateSection ResumeThread

1. Trusted Binary transacted as Malicious PE 2. Create Sections from transacted Malicious PE 3. Rollback transaction removes changes from Filesystem

RollBackTransaction NtCreateProcess

slide-27
SLIDE 27

SynAck – Process Doppelganging

Initial Access Execution Defense Evasion Acting on Objectives

Drive-by-Compromise Phishing Obfuscated Trojan Dropper Dropper Location SynAck.exe msiexec.exe

msiexec.exe Malicious PE Endpoint Security Solution (ESS) Protection failed to detect obfuscated dropper Signatures updated

CreateTransaction CreateFileTransacted WriteFile CreateSection ResumeThread NTDLL API for Process Image Query

1. Trusted Binary transacted as Malicious PE 2. Create Sections from transacted Malicious PE 3. Rollback transaction removes changes from Filesystem

RollBackTransaction NtCreateProcess

slide-28
SLIDE 28

SynAck – Process Doppelganging

Initial Access Execution Defense Evasion Acting on Objectives

Drive-by-Compromise Phishing Obfuscated Trojan Dropper Dropper Location SynAck.exe msiexec.exe

msiexec.exe Malicious PE Endpoint Security Solution (ESS) Protection failed to detect obfuscated dropper Signatures updated

CreateTransaction CreateFileTransacted WriteFile CreateSection ResumeThread NTDLL API for Process Image Query

msiexec.exe

1. Trusted Binary transacted as Malicious PE 2. Create Sections from transacted Malicious PE 3. Rollback transaction removes changes from Filesystem

RollBackTransaction NtCreateProcess

slide-29
SLIDE 29

Process Reimaging Prerequisite and Attack Vectors

Prerequisites

Process Reimaging targets the post-exploitation phase, whereby a threat actor has already gained access to the target system. This is the same prerequisite of Process Hollowing or Doppelganging techniques within the Defense Evasion category of the Mitre ATT&CK framework.

Attack Vectors

1. FILE_OBJECT Filepath changes 2. FILE_OBJECT Filename changes 3. LoadLibrary FILE_OBJECT reuse

slide-30
SLIDE 30

SynAck using Process Reimaging

slide-31
SLIDE 31

SynAck - Process Reimaging Weaponization

Initial Access Execution Defense Evasion Acting on Objectives

Drive-by-Compromise Phishing Obfuscated Trojan Dropper Dropper Location SynAck.exe msiexec.exe undetected.exe

undetected.exe Endpoint Security Solution (ESS)

CreateProcess

1. Process created with undetected binary

slide-32
SLIDE 32

SynAck - Process Reimaging Weaponization

Initial Access Execution Defense Evasion Acting on Objectives

Drive-by-Compromise Phishing Obfuscated Trojan Dropper Dropper Location SynAck.exe msiexec.exe undetected.exe

undetected.exe msiexec.exe Endpoint Security Solution (ESS)

CreateProcess MoveFileW CreateDirectoryW CopyFileW

1. Process created with undetected binary 2. Process reimaged as msiexec

slide-33
SLIDE 33

SynAck - Process Reimaging Weaponization

Initial Access Execution Defense Evasion Acting on Objectives

Drive-by-Compromise Phishing Obfuscated Trojan Dropper Dropper Location SynAck.exe msiexec.exe undetected.exe

undetected.exe msiexec.exe Endpoint Security Solution (ESS) Protection failed to detect obfuscated dropper

CreateProcess MoveFileW CreateDirectoryW CopyFileW

1. Process created with undetected binary 2. Process reimaged as msiexec

slide-34
SLIDE 34

SynAck - Process Reimaging Weaponization

Initial Access Execution Defense Evasion Acting on Objectives

Drive-by-Compromise Phishing Obfuscated Trojan Dropper Dropper Location SynAck.exe msiexec.exe undetected.exe

undetected.exe msiexec.exe Endpoint Security Solution (ESS) Protection failed to detect obfuscated dropper Signatures updated

CreateProcess MoveFileW CreateDirectoryW CopyFileW

1. Process created with undetected binary 2. Process reimaged as msiexec

slide-35
SLIDE 35

SynAck - Process Reimaging Weaponization

Initial Access Execution Defense Evasion Acting on Objectives

Drive-by-Compromise Phishing Obfuscated Trojan Dropper Dropper Location SynAck.exe msiexec.exe undetected.exe

undetected.exe msiexec.exe Endpoint Security Solution (ESS) Protection failed to detect obfuscated dropper Signatures updated

CreateProcess MoveFileW CreateDirectoryW CopyFileW NTDLL API for Process Image Query

1. Process created with undetected binary 2. Process reimaged as msiexec

slide-36
SLIDE 36

SynAck - Process Reimaging Weaponization

Initial Access Execution Defense Evasion Acting on Objectives

Drive-by-Compromise Phishing Obfuscated Trojan Dropper Dropper Location SynAck.exe msiexec.exe undetected.exe

undetected.exe msiexec.exe Endpoint Security Solution (ESS) Protection failed to detect obfuscated dropper Signatures updated

CreateProcess MoveFileW CreateDirectoryW CopyFileW NTDLL API for Process Image Query

msiexec.exe

1. Process created with undetected binary 2. Process reimaged as msiexec

slide-37
SLIDE 37

Windows Kernel APIs + Process Reimaging Deep Dive

slide-38
SLIDE 38

NtQueryInformationProcess Filename APIs

IDA Graph Displaying Complexity of NtQueryInformationProcess Filename APIs within NTDLL

slide-39
SLIDE 39

NtQueryVirtualMemory Filename API

IDA Graph Displaying Complexity of NtQueryVirtualMemory Filename API within NTDLL

slide-40
SLIDE 40

OS/Kernel version and API Matrix

Kernelbase.dll APIs Ntoskrnl.exe API & Structures Win 7 SP1 x64 Ntoskrnl 6.1.7601.17514 Win 8.1 x64 Ntoskrnl 6.3.9600.18946 Win10 RS1 x64 Ntoskrnl 10.0.14393.0 K32GetModuleFileNameEx

NtQueryInformationProcess

EPROCESS +0x448 ImageFilePointer (Win10) EPROCESS +0x3b8 SectionObject (<Win10)

Incorrect Filename Incorrect path Incorrect Filename Incorrect path Correct Filename Incorrect path

GetMappedFileName

NtQueryVirtualMemory

VAD FILE_OBJECT handle

Correct Filename Incorrect path Correct Filename Incorrect path Correct Filename Incorrect path

K32GetProcessImageFileName

NtQueryInformationProcess

EPROCESS SeAuditProcessCreationInfo

Incorrect Filename Incorrect path Incorrect Filename Incorrect path Incorrect Filename Incorrect path

QueryFullProcessImageFileName

NtQueryInformationProcess

EPROCESS +0x448 ImageFilePointer (Win10) EPROCESS +0x3b8 SectionObject (<Win10)

Incorrect Filename Incorrect path Incorrect Filename Incorrect path Correct Filename Incorrect path

slide-41
SLIDE 41

Filepath Changes (impacts all Windows OS versions)

slide-42
SLIDE 42

Filepath Changes (impacts all Windows OS versions)

slide-43
SLIDE 43

Filepath Changes (impacts all Windows OS versions)

slide-44
SLIDE 44

Filepath Changes (impacts all Windows OS versions)

slide-45
SLIDE 45

Filename Changes (impacts Windows >= Windows 10)

slide-46
SLIDE 46

Filename Changes (impacts Windows >= Windows 10)

slide-47
SLIDE 47

Filename Changes (impacts Windows < Windows 10)

slide-48
SLIDE 48

Filename Changes (impacts Windows < Windows 10)

slide-49
SLIDE 49

Using LoadLibrary (impacts all Windows OS Versions)

slide-50
SLIDE 50

Using CreateProcess (impacts all Windows OS Versions)

slide-51
SLIDE 51

Windows Defender Bypass Demo

slide-52
SLIDE 52

Process Manipulation Techniques Recap

Process Reimaging

slide-53
SLIDE 53

Process Manipulation Techniques Recap

Process Reimaging Process Doppelganging

slide-54
SLIDE 54

Process Manipulation Techniques Recap

Process Reimaging Process Doppelganging Process Hollowing

slide-55
SLIDE 55

Process Manipulation Techniques Comparison

Process Manipulation Technique Advantages Disadvantages Protection Detection Process Reimaging

Easier to execute No code injection All Windows versions No API signatures No Protection No fileless No trusted path execution location Cannot delete malicious file from disk Track FILE_OBJECT ID from FileCreate EDR tracing Memory scanning (requires trigger)

Process Doppelganging

Fileless Trusted path execution location Delete malicious file from disk Transaction API not legitimate usage Code Injection Microsoft Protection ESS protection Proprietary Techniques Yara Rules EDR tracing Yara Rules Memory scanning (requires trigger)

Process Hollowing

Fileless Trusted path execution location Delete malicious file from disk Noisy APIs Signatures Code Injection ESS protection Proprietary Techniques Yara Rules EDR tracing Yara Rules Memory scanning (requires trigger)

slide-56
SLIDE 56

Impact

  • 1. Process reputation of a remote process – any product using the APIs

to determine if executing code is from a malicious file on disk

CVSS score 5.0 (Medium) https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N (same score as Doppelganging)

slide-57
SLIDE 57

Impact

  • 1. Process reputation of a remote process – any product using the APIs

to determine if executing code is from a malicious file on disk

CVSS score 5.0 (Medium) https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N (same score as Doppelganging)

  • 2. Trust verification of a remote process - any product using the APIs to

verify trust of a calling process

CVSS score will be higher than 5.0; scoring specific to Endpoint Security Solution architecture

slide-58
SLIDE 58

Impact

  • 1. Process reputation of a remote process – any product using the APIs

to determine if executing code is from a malicious file on disk

CVSS score 5.0 (Medium) https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N (same score as Doppelganging)

  • 2. Trust verification of a remote process - any product using the APIs to

verify trust of a calling process

CVSS score will be higher than 5.0; scoring specific to Endpoint Security Solution architecture Note: you are vulnerable if you use any of the APIs listed in the “OS/Kernel version and API Matrix” for above use cases

slide-59
SLIDE 59

Protection Recommendations (to ESS Vendor)

  • The FILE_OBJECT ID must be tracked from FileCreate as the process

closes its handle for the filename by the time the image is loaded at ImageLoad.

  • This ID must be managed by the Endpoint Security Vendor so that it

can be leveraged to determine if a process has been reimaged when performing process attribute verification.

slide-60
SLIDE 60

Protection Recommendations (to Microsoft)

  • File System Synchronization (EPROCESS structures out of sync with the filesystem or File Control Block structure (FCB)
  • Allow the EPROCESS structure fields to reflect filepath changes
  • There are other EPROCESS fields which do not reflect changes to filenames and need to be updated
  • API Usage (most returning file info for process creation time)
  • Defender (MpEngine.dll should be using K32GetModuleFileNameEx to get process image filename
  • Consolidate the duplicate APIs being exposed from NtQueryInformationProcess to provide easier management and guidance to consumers
  • Differentiate in API description whether the API is only limited to retrieving the filename and path at process creation or real-time at time
  • f request
  • Filepath Locking
  • Lock filepath and name similar to lock file modification when a process is executing to prevent modification.
  • Standard user at a minimum should not be able to rename binary paths for its associated executing process.
  • Reuse of existing FILE_OBJECT with LoadLibrary API
  • LoadLibrary should verify any existing FILE_OBJECT it reuses, has the most up to date Filepath at load time.
  • As a short term mitigation, Defender should flag that it found malicious process activity
slide-61
SLIDE 61

Microsoft June 2019 Cumulative update

  • Microsoft released a partial mitigation to Defender in the June 2019

Cumulative update for the Process Reimaging FILE_OBJECT filename changes attack vector only

  • This update was only for Windows 10 and does not address the vulnerable

APIs in “OS/Kernel version and API Matrix” at the OS level; therefore, Endpoint Security Solutions are still vulnerable to Process Reimaging

  • Defender also remains vulnerable to the FILE_OBJECT filepath changes attack

vector executed in the bypass demo video, and this attack vector affects all Windows OS versions

slide-62
SLIDE 62

McAfee Blog

https://securin ingtomorrow.mcafee.com/other-blogs/mcafee-labs/in- ntdll ll-i-trust-process-reimaging-and-endpoin int-security-solu lution-bypass/

sin in é daoine dzNrbmlnaHQ=