detecting fileless malicious behaviour of net c2 agents
play

Detecting Fileless Malicious Behaviour of .NET C2 Agents using ETW - PowerPoint PPT Presentation

Mar 30, 2023 •375 likes •781 views

Detecting Fileless Malicious Behaviour of .NET C2 Agents using ETW Supervisors: Course: Authors: Leandro Velasco Research Project 1 Alexander Bode Joao de Novais Marques Niels Warnars Introduction Event Tracing for Windows Enables

  1. Detecting Fileless Malicious Behaviour of .NET C2 Agents using ETW Supervisors: Course: Authors: Leandro Velasco Research Project 1 Alexander Bode Joao de Novais Marques Niels Warnars

  2. Introduction Event Tracing for Windows Enables logging kernel or application data, since Windows 2000 Components of ETW - Providers - Controllers - Consumers Source: Microsoft Docs, 2020 2

  3. Introduction Fileless Malicious Behaviour of .NET C2 Agents .NET assemblies can be dynamically loaded and executed into memory - Using methods from the System.Reflection namespace - Allowing remote execution of malicious code Assembly C# Memory 3

  4. Example .NET code / executables are uploaded to bots and executed through the server by the botnet administrator Source:Paisan Homhuan/123RF.com 4

  5. Introduction Research Questions Main Research Question How can ETW be leveraged to detect fileless malicious behaviour of .NET agents used by popular C2 frameworks? Sub Questions What language-specific features can be used by .NET C2 agents for fileless attacks? Which event types are relevant for detecting malicious .NET behaviour? 5

  6. Introduction Importance - Attackers shifting away from PowerShell to malicious .NET - Logging and tracing support since Windows 2000 - Complexity and volume of data produced by ETW Research Goals - Find ways to detect .NET agents used by popular C2 frameworks using ETW - Reduce false-positives and data volume - Identify limitations of proposed detection methods 6

  7. Related Work Current Research Detection using ETW - .NET code injection (F-Secure) - Ransomware (CyberPoint) Bypassing ETW - For specific events, e.g., Asynchronous Procedure Calls (Tsukerman) - Disable or delete ETW components (Palentir) - ETW logs being renamed in the wild (Kaspersky) 7

  8. Related Work Shortcomings Detection using ETW - Methods for detecting .NET code injection using ETW (F-Secure) - Inefficient research POC which uses the PyWintrace library - Relies on high-risk built-in function names 8

  9. Methodology 9

  10. Methodology Lab Setup ● Virtual Machine 1: ● Virtual Machine 2: ○ ○ OS: Linux OS: Windows 10 ○ ○ Function: Command and Control Function: Logging ETW events during server code execution / loading agents 10

  11. Methodology Investigated C2 frameworks Tested four popular C2 frameworks documented by C2 Matrix project ● Generate .NET agents ● Load .NET assemblies into memory 11

  12. Methodology Assembly loading in C2 frameworks - Executing built-in assembly in Covenant C2 12

  13. Methodology Log Creation and Analysis 1. Determine relevant ETW providers and event names 2. Generate ETW logs: a. Malicious .NET agents b. Assembly loading POCs c. Benign .NET software 3. Compare event logs side-by-side 13

  14. Methodology SilkETW ● Developed by Ruben Boonen of FireEye ● Logging utility for ETW ● Abstracts complexities ● Entries written to - JSON file - Windows Event logs - Logstash 14

  15. Methodology SilkETW SilkETW is installed on hosts to control ETW sessions and providers Data ฀ JSON log file 15

  16. Methodology SilkETW SilkETW is installed on hosts to control ETW sessions and providers Data ฀ JSON log file 16

  17. Methodology SilkETW SilkETW is installed on hosts to control ETW sessions and providers Data ฀ JSON log file 17

  18. Methodology Example ETW Event (Simplified) { { "ProviderName" : "Microsoft-Windows-DotNETRuntime", "ProviderName" : "Microsoft-Windows-DotNETRuntime", "EventName" : "Loader/AssemblyLoad", "EventName" : "Loader/AssemblyLoad", "TimeStamp" : "2020-01-17T07:34:18.0794758-08:00", "TimeStamp" : "2020-01-17T07:34:18.0794758-08:00", "ProcessName" : "N/A", "ProcessName" : "N/A", ... ... "XmlEventData" :{ "XmlEventData" :{ "AssemblyFlags" : "DomainNeutral|Native", "AssemblyFlags" : "DomainNeutral|Native", "FullyQualifiedAssemblyName" : "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=...", "FullyQualifiedAssemblyName" : "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=...", "EventName" : "Loader/AssemblyLoad" "EventName" : "Loader/AssemblyLoad" ... ... } } } } 18

  19. Results 19

  20. Results Assembly.Load 20

  21. Results ETW Filtering Steps Start: Assembly loading POC + End result: Only subscribe to Loader logging all .NET-runtime events events 99.937 events 9 events Manually clear away 26 types of events irrelevant and 3 types of events verbose event types (Unload, GC, Method/Load, etc.) 21

  22. Results Assembly loading seen from ETW (.NET 4.x) 1. Loader/AssemblyLoad (* Optional if a module is loaded into an existing assembly) 2. Loader/ModuleLoad 3. Loader/DomainModuleLoad 22

  23. Results Assembly loading seen from ETW (.NET 3.5) 1. CLRLoader/ModuleLoad (* Both events contain same information) 2. Loader/ModuleLoad 23

  24. Results Assembly loading seen from ETW Assembly: Any executable or module, including: ● .NET application itself ● .NET libraries and dependencies ● Dynamically loaded components 24

  25. Results AssemblyLoad Event (.NET 4.x) Legit Module Assembly name AssemblyFlags PublicKeyToken mscorlib.dll (as observed in mscorlib "DomainNeutral|Native" b77a5c561934e089 Assembly.Load POC) mscorlib.dll (as observed in mscorlib "DomainNeutral" b77a5c561934e089 Covenant agent) C2 framework Assembly name AssemblyFlags PublicKeyToken Covenant "jhyfwkp2.hwm" "0" null PoshC2 "Core" "0" null FactionC2 "stdlib" "0" null SilentTrinity "Stage" "Dynamic" null 25

  26. Results ModuleLoad Event (.NET 4.x) Legit Module ModuleILPath ModuleNativePath ModuleFlags mscorlib.dll (as observed in "C:\\[...]\\mscorlib.dll" "C:\\[...]\\mscorlib.ni.dll" "DomainNeutral|Native| Assembly.Load POC) Manifest|0x10" mscorlib.dll (as observed in "C:\\[...]\\mscorlib.dll" "" "DomainNeutral|Manifest" Covenant agent) C2 framework ModuleILPath ModuleNativePath ModuleFlags Covenant "jhyfwkp2.hwm" "" "Manifest" PoshC2 "Core" "" "Manifest" FactionC2 "stdlib" "" "Manifest" SilentTrinity "Stage.exe" "" "Dynamic" 26

  27. Results ModuleLoad Event (.NET 3.5) Legit Module ModuleILPath ModuleNativePath ModuleFlags mscorlib.dll (as observed in "C:\\[...]\\mscorlib.dll" "C:\\[...]\\mscorlib.ni.dll" "3" (DomainNeutral|Native) Assembly.Load POC) mscorlib.dll (as observed in "C:\\[...]\\mscorlib.dll" "" "1" (DomainNeutral) Covenant agent) C2 framework ModuleILPath ModuleNativePath ModuleFlags Covenant "" "" "0" FactionC2 "" "" "0" 27

  28. Results ModuleLoad Signature Field Value ModuleILPath No absolute path (i.e. exclude slashes) ModuleNativePath Empty string ModuleFlags (if present) "0", "Dynamic" or "Manifest" 28

  29. Results ModuleLoad Signature - FP Testing Tested against numerous .NET applications: ● Paint.NET ● KeePass ● Visual Studio No false positives 29

  30. Discussion 30

  31. Discussion Limitations - General Considerations ● Assembly loading may occur for legitimate reasons ● Only performed limited false-positive testing ● Different .NET versions result in different event output 31

  32. Conclusion 32

  33. Conclusion How can ETW be leveraged to detect fileless malicious behaviour of .NET agents used by C2 frameworks? ● Agents of multiple C2 frameworks dynamically load assemblies ● Detection possible based on ModuleLoad event 33

  34. Future Work ● Investigate other use cases of ETW for endpoint monitoring ● Investigate real-world implementation of detection 34

  35. Questions? 35

  36. Backup slides 36

  37. Limitations - ModuleLoad signature ● ModuleLoad signature relies on absence of full path ● Loading assembly file from disk results in absolute path logged in ModuleILPath ○ Assembly.LoadFile(string path) ○ Assembly.LoadFrom(string assemblyName) 37

  38. Limitations - ModuleLoad signature ● ModuleLoad signature relies on absence of full path ● For dynamically loaded assembly, ModuleILPath = assembly name ● Bypass: Patch assembly name with fake path to get fake absolute path logged in ModuleILPath 38

Recommend

PlatPal: Detecting Malicious Documents with Platform Diversity Meng Xu and Taesoo Kim Georgia

PlatPal: Detecting Malicious Documents with Platform Diversity Meng Xu and Taesoo Kim Georgia

PlatPal: Detecting Malicious Documents with Platform Diversity Meng Xu and Taesoo Kim Georgia Institute of Technology 1 Malicious Documents On the Rise 2 3 4 Adobe Components Exploited Element parser JavaScript engine 137 CVEs in 2015

883 views • 62 slides
NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using NetFlow data By: Joey Dreijer, Student OS3 5-07-14 1 NetFlow Analysis: Detecting covert channels on the network Gathering NetFlow data

346 views • 16 slides
Detecting Malicious Web Links and Identifying Their Attack Types 1 Hyunsang Choi, 2 Bin B. Zhu, 1

Detecting Malicious Web Links and Identifying Their Attack Types 1 Hyunsang Choi, 2 Bin B. Zhu, 1

Detecting Malicious Web Links and Identifying Their Attack Types 1 Hyunsang Choi, 2 Bin B. Zhu, 1 Heejo Lee 1 Korea University, 2 Microsoft Research Asia USENIX WebApps 2011 2011-06-21 Outline Introduction Existing solutions

470 views • 25 slides
Faster Agreement via a Spectral Method for Detecting Malicious Behavior Valerie King Jared

Faster Agreement via a Spectral Method for Detecting Malicious Behavior Valerie King Jared

Faster Agreement via a Spectral Method for Detecting Malicious Behavior Valerie King Jared Saia Abstract to be reliable. What happens if a hidden cabal generates bits that are not truly random? Can we detect and We address the problem

340 views • 16 slides
WEBCOP: LOCATING NEIGHBORHOODS OF MALWARE ON THE WEB Reid Andersen Jay Stokes

WEBCOP: LOCATING NEIGHBORHOODS OF MALWARE ON THE WEB Reid Andersen Jay Stokes

WEBCOP: LOCATING NEIGHBORHOODS OF MALWARE ON THE WEB Reid Andersen Jay Stokes Christian Seifert Microsoft Research Kumar Chellapilla Microsoft Search Detecting Malicious Web Pages Detecting Malicious Web Pages Production

427 views • 23 slides
Emergent behaviour in virtual agents Emergent behaviour in virtual agents Colin Chibaya Colin

Emergent behaviour in virtual agents Emergent behaviour in virtual agents Colin Chibaya Colin

Emergent behaviour in virtual agents Emergent behaviour in virtual agents Colin Chibaya Colin Chibaya and Professor Shaun Bangay Professor Shaun Bangay Research goal Research goal To investigate control routines for achieving emergent

679 views • 13 slides
Mobile Agents Rendezvous in Mesh-Networks in spite of a Malicious Agent Shantanu Das 1 , Flaminia

Mobile Agents Rendezvous in Mesh-Networks in spite of a Malicious Agent Shantanu Das 1 , Flaminia

Mobile Agents Rendezvous in Mesh-Networks in spite of a Malicious Agent Shantanu Das 1 , Flaminia L. Luccio 2 , Euripides Markou 3 1 LIF, Aix-Marseille University, Marseille, France 2 DAIS, Universit Ca Foscari Venezia, Venezia, Italy 3

632 views • 23 slides
Spoiled Onions: Exposing Malicious Tor Exit Relays Philipp Winter, Richard K ower, Martin

Spoiled Onions: Exposing Malicious Tor Exit Relays Philipp Winter, Richard K ower, Martin

Spoiled Onions: Exposing Malicious Tor Exit Relays Philipp Winter, Richard K ower, Martin Mulazzani , Markus Huber, Sebastian Schrittwieser, Stefan Lindskog, Edgar Weippl Outline This talk is about: Detecting malicious Tor exit relays

521 views • 31 slides
Automatically Detecting Vulnerable Sites Before They Turn Malicious Kyle Soska Nicolas

Automatically Detecting Vulnerable Sites Before They Turn Malicious Kyle Soska Nicolas

Automatically Detecting Vulnerable Sites Before They Turn Malicious Kyle Soska Nicolas Chris>n Carnegie Mellon University Carnegie Mellon University ECE / Cylab ECE / Cylab

491 views • 28 slides
model with two types of agents and shift in behaviour Pasquale Commendatore (University of Naples

model with two types of agents and shift in behaviour Pasquale Commendatore (University of Naples

An overlapping generations model with two types of agents and shift in behaviour Pasquale Commendatore (University of Naples Federico II, Italy) Ingrid Kubin (Vienna University of Economics and BA, Austria) Iryna Sushko (NASU and Kyiv School

533 views • 38 slides
ENCAPSULATING REACTING BEHAVIOUR IN GOAL-BASED PLANS FOR PROGRAMMING BDI AGENTS Rafael H. Bordini

ENCAPSULATING REACTING BEHAVIOUR IN GOAL-BASED PLANS FOR PROGRAMMING BDI AGENTS Rafael H. Bordini

ENCAPSULATING REACTING BEHAVIOUR IN GOAL-BASED PLANS FOR PROGRAMMING BDI AGENTS Rafael H. Bordini Rem Collier Jomi F. Hbner Alessandro Ricci School of Technology, PUCRS University College of Dublin DAS, Fed. Univ. of Santa Catarina DISI,

441 views • 14 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 10 March 2005 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

1.16k views • 94 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 23 March 2006 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

707 views • 69 slides
a story telling robot: modelling and evaluation of human-like gaze behaviour 1 motivations

a story telling robot: modelling and evaluation of human-like gaze behaviour 1 motivations

a story telling robot: modelling and evaluation of human-like gaze behaviour 1 motivations social functions of gaze behaviour gaze and task performance previous work on simulating gaze behaviour in agents and robots How are

245 views • 11 slides
Curling: Why The _ Do You _? Zaheen Ahmad Rational Behaviour Rational agents play to maximize

Curling: Why The _ Do You _? Zaheen Ahmad Rational Behaviour Rational agents play to maximize

Curling: Why The _ Do You _? Zaheen Ahmad Rational Behaviour Rational agents play to maximize expected utility in games Humans are not always rational in reality Di ffi cult to analyze rationality in all games 2 Curling Sport

421 views • 28 slides
Hardware is too important to trust U NTRUSTED C OMPUTING B ASE : blindly Detecting and Removing

Hardware is too important to trust U NTRUSTED C OMPUTING B ASE : blindly Detecting and Removing

Overcoming an Hardware is too important to trust U NTRUSTED C OMPUTING B ASE : blindly Detecting and Removing Malicious Hardware Automatically Rest of the system Matthew Hicks Murph Finnicum Samuel T. King University of Illinois

428 views • 9 slides
12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic graphics 2.Detecting manipulated images Photo manipulation is the application of image editing techniques to photographs in order to create an

306 views • 13 slides
Agent Planning Programs A New Method to Design and Control Intelligent Agents Behaviour Sebastian

Agent Planning Programs A New Method to Design and Control Intelligent Agents Behaviour Sebastian

Agent Planning Programs A New Method to Design and Control Intelligent Agents Behaviour Sebastian Sardina School of Computer Science and IT RMIT University Melbourne, Australia sebastian.sardina@rmit.edu.au Joint work with Giuseppe De Giacomo

1.81k views • 146 slides
Session 14 Introduction to Behaviour that Challenges SECTION 5: 1 Behaviour Behaviour that is

Session 14 Introduction to Behaviour that Challenges SECTION 5: 1 Behaviour Behaviour that is

Session 14 Introduction to Behaviour that Challenges SECTION 5: 1 Behaviour Behaviour that is challenging We used to talk about problem behaviour or behavioural difficulties Now we see this as behaviour that challenges services.

314 views • 7 slides
On the Combined Behaviour of Autonomous Resource Management Agents Siri Fagernes and Alva L.

On the Combined Behaviour of Autonomous Resource Management Agents Siri Fagernes and Alva L.

Resource management using autonomic operators Model and Simulations Results On the Combined Behaviour of Autonomous Resource Management Agents Siri Fagernes and Alva L. Couch June 24, 2010 university-logo Siri Fagernes and Alva L. Couch

866 views • 34 slides
Detecting Product Review Spammers using Rating Behaviors Itay Dressler What is Spam? Why

Detecting Product Review Spammers using Rating Behaviors Itay Dressler What is Spam? Why

Detecting Product Review Spammers using Rating Behaviors Itay Dressler What is Spam? Why should you care? How to detect Spam? 2 What is Spam? What is Spam? All forms of malicious manipulation of user generated data so as to

943 views • 56 slides
Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know.

Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know.

Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know. Current biological diagnostics are very effective at identifying agents, but theyre slow. We already have an infrastruc- ture in place to

233 views • 8 slides
Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L

Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L

Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L i L L Long ong I I Islan I l and S d S d S d Soun ound d with with NERACOOS Buoy y Observations James ODonnell, Todd Fake, Kay

815 views • 26 slides
ANTI SOCIAL BEHAVIOUR WHAT IS ANTISOCIAL WHAT IS ANTISOCIAL BEHAVIOUR BEHAVIOUR Bullying

ANTI SOCIAL BEHAVIOUR WHAT IS ANTISOCIAL WHAT IS ANTISOCIAL BEHAVIOUR BEHAVIOUR Bullying

ANTI SOCIAL BEHAVIOUR WHAT IS ANTISOCIAL WHAT IS ANTISOCIAL BEHAVIOUR BEHAVIOUR Bullying in School & out of School Vandalism or graffiti Playing music too loudly Shouting, screaming or swearing Drinking alcohol

121 views • 10 slides

More recommend