One Article Review
| Source |  Code White |
|---|---|
| Identifiant | 6747256 |
| Date de publication | 2022-09-06 11:02:07 (vue: 2022-09-06 09:05:41) |
| Titre | Attacks on Sysmon Revisited - SysmonEnte |
| Texte | In this blogpost we demonstrate an attack on the integrity of Sysmon which generates a minimal amount of observable events making this attack difficult to detect in environments where no additional security products are installed.tl;dr:Suspend all threads of Sysmon.Create a limited handle to Sysmon and elevate it by duplication.Clone the pseudo handle of Sysmon to itself in order to bypass SACL as proposed by James Forshaw.Inject a hook manipulating all events (in particular ProcessAccess events on Sysmon).Resume all threads.We also release a POC called SysmonEnte.BackgroundAt Code White we are used to performing complex attacks against hardened and strictly monitored environments. A reasonable approach to stay under the radar of the blue team is to blend in with false positives by adapting normal process- and user behavior, carefully choosing host processes for injected tools and targeting specific user accounts.However, clients with whom we have been working for a while have reached a high level of maturity. Their security teams strictly follow all the hardening advice we give them and invest a lot of time in collecting and base-lining security related logs while constantly developing and adapting detection rules.We often see clients making heavy use of Sysmon, along with the Windows Event Logs and a traditional AV solution. For them, Sysmon is the root of trust for their security monitoring and its integrity must be ensured. However, an attacker who has successfully and covertly attacked, compromised the integrity of Sysmon and effectively breaks the security model of these clients.In order to undermine the aforementioned security-setup, we aimed at attacking Sysmon to tamper with events in a manner which is difficult to detect using Sysmon itself or the Windows Event Logs.Attacks on Sysmon and DetectionHaving done some Googling on how to blind Sysmon, we realized that all publicly documented ways are detectable via Sysmon itself or the Windows Event Logs (at least those we found) :Unloading Sysmon Driver - Detectable via Sysmon event id 255, Windows Security Event ID 4672.Attacks Via Custom Driver - Detectable via Sysmon event id 6, Driver loaded.Kill the Sysmon Service - Sysmon Event ID 10 (Process Access with at least PROCESS_TERMINATE flag set; The last event forwarded by Sysmon).Manipulating the Rules Registry Key - Event ID 16.Patching Sysmon in Memory - Event ID 10.While we were confident that we can kill Sysmon before throwing Event ID 5 (Process terminated) we thought that a host not sending any events would be suspicious and could be observed in a client's SIEM. Also, loading a signed, whitelisted and exploitable driver to attack from Kernel land was out of scope to maintain stability.Since all of these documented attack vectors are somehow detectable via Sysmon itself, the Windows Event Logs or can cause stability issues we needed a new attack vector with the following capabilities:Not detectable via Sysmon itselfNot detectable via Windows Event LogSysmon must stay aliveAttack from usermodeInjecting and manipulating the control flow of Sysmon seemed the most promising.Attack DescriptionSimilarly to SysmonQuiet or EvtMute, the idea is to inject code into Sysmon which redirects the |
| Envoyé | Oui |
| Condensat | &hduppriv &hhighpriv &hlowpriv &objectattributes &upid *pevent *pprocessaccess *pprocessaccess;we //check //get //replace //save //sysmon 0;ntstatus 0x1400 0x1400; 255 3340 4656 4672 :unloading ;bsuccess ;doing ;exit: ;if ;ntstatus ;sysmon ;the >id >pgrantedaccess >psourceuser >ptargetimage >sizegrantedaccess >sizesourceuser able about access accessing according accounts achievable adapting additional additionally address advice aforementioned after against aimed aliveattack all allow allowing allows alone along already also amount another any applicable applied apply applying approach appropriate arbitrary are arguments attack attacked attacker attackers attacking attacks attempts auditing auditingif backgroundat base based because become been before behavior being believe benign benign; benignvoid best bigger blend blind blogpost blue break; breakpoint breaks broken bsuccess built but bypass bypasses bypassing call callback callbacksif called callstack calltrace can capabilities:not carefully case cases catch cause change channel; check choosing circumstance circumvented client clients clone code collecting com/bats3c/evtmute com/bats3c/ghost com/blog/2018/10/5/operating com/en com/matterpreter/shhmonhttps://github com/scriptidiot/sysmonquiethttps://github combined come compilation complex compromised conduct confident config configuration configure configured configures configuring constantly containing contrast control correct corresponding could covertly create creating creation crypted custom darkoperator data debug default default: defenders definition definitions: delay demonstrate depending described describing descriptionsimilarly descriptor descriptor;the detect detectable detection detectionhaving determines dev/2017/10/bypassing developing different difficult disk dispatched documented done driver dump dup duplicate duplicatehandle duplicateobject duplicating duplication during dword dwpid;upid dwpidsysmon each easiest easily ecount effectively elam elevate elevated elevation elevationplaying emitted enable enabled enough ensured ente environments etw etweventwrite etweventwritefull etwhttps://github evade event eventdescriptor eventin events eventsntdll every everyone evntapietweventwrite evtmute execution exist exit; exploitable explorer failed faking false false;hsysmon fatal field fields filesystem final find fine first fix flag flow flowsysmon follow following following:open follows:typedef for: forshaw forshawfortunately forward forwarded forwarding forwards found from full fully function functionulong gain generate generated generates get getcurrentprocess getfunctionptr github give giving golden good googling goto great group guaranteed handle handleprocessaccess handles hardened hardening hardware/drivers/ddi/wdm/ns hardware/test/weg/instrumenting has hash have hduppriv heavy hhighpriv high higher hlowpriv hold hook hooks host how however hsysmon htmlhttps://docs https://docs hunt id; idea ideas implement implemented important included independent indirect information inject injected injecting injection injections install installed instantiation integrity intelligence interesting:in invest ioc issues it: its itself itselfnot james kernel kernel32 key keyword; kill kind know knowledge land large last least let level level; leveraged like limited lining lists loaded loader loading log logs logshttps://www logsysmon look lot low lsass lstrcpyw luckily maintain make makes making manipulated manipulates manipulating manipulationopenprocess manipulations manner many mask mask: masks maturity memory methodscertain microsoft might minimal model modified monitor monitored monitoring more most msdn must nanodump necessarily need needed needs never new non normal not note note: noteworthy noticed now ntcurrentprocess ntdll ntduplicateobject ntopenprocess ntstatus null null;bool null;handle object observable observe observed obviously offensively often one only opcode; open openprocess operation operations opt order original otherwise out own paccess particular party patching pcalltrace; pce |
| Tags | Tool |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.