migratecommand and process hollowing procedures from a 5+-year-old Carbanak malware available on GitHub, even with prior knowledge of what is going to be tested, and half a year to prepare if needed.
kernel32!CreateRemoteThread, but we are really talking about
ntdll!NtCreateThreadEx, or the kernel-mode target intercepted through kernel callbacks.
msbuild.execreating a new thread in a remote process. Even though the criticality of a potential true positive would be quite high, after testing the rule author decided it is only suitable for low severity (probably due to FP-rate), which likely degrades the rule to an IR label/enrichment in most environments.
FileProfile()enrichment function - detects extremely rare files creating threads in remote processes. Very useful to implement in-house, but still unlikely to be found in EDRs in such a simple form, as it would cause substantial amounts of false positives in certain environments, and could prove difficult to maintain.
hosting process- so monitoring only remote thread creation, usually also limited to those with:
target) only in Windows built-in executables
source) only in risky executables
DripLoader is an evasive shellcode loader (injector) for bypassing event-based injection detection, without necessarily suppressing event collection.The project is aiming to highlight limitations of event-driven injection identification, and show the need for more advanced memory scanning and smarter local agent inventories in EDR.
DripLoader evades EDRs by
- using the most risky APIs possible like
- blending in with call arguments to create events that vendors are forced to drop or log&ignore due to volume
- avoiding multi-event correlation by introducing delays
PageSizesized pages, which on Windows 10 with a modern processor is
4kBis by far the most prevalent allocation size (>95%), making it extremely challenging to detect on
kernel32!VirtualAllocExchoose the base, as it might reserve memory at an address where the other allocations will not fit
kernel32!VirtualAllocExand similar is rounded up to
AllocationGranularitywhich is another constant found in
SYSTEM_INFOand is usually
MEM_COMMIT | MEM_RESERVEmemory at
0x40000000, the whole
0x40010000 (64kB)region will be unavailable for new allocations
VirtualQueryExthe target process to find the first region able to fit our shellcode blob
AllocationGranularity (64kB)sized regions, and then loop over those committing
4kBpages to ensure page alignment
RegionSizeof a target memory page in properties of logged
VirtualProtectExevents. (TiEtw provides this, and hooks can too).
CreateThreadExnative API which is the ntdll target of CRT, and hence very commonly called by legitimate software. To bypass any detections we will:
far jmpto our shellcode base at the time of thread creation
RVAof the function we will hijack