in in ntdll i i trust process reimaging and endpoint
play

In In NTDLL I I Trust Process Reimaging and Endpoint Security - PowerPoint PPT Presentation

Feb 01, 2024 •220 likes •848 views

In In NTDLL I I Trust Process Reimaging and Endpoint Security Solution Bypass Eoin Carroll Senior Security Researcher Hack in Paris 2019 McAfee ATR Attribution sacr bleu Eoin Carroll Steve Povolny Steve Hearnden Cedric Cochin About

  1. In In NTDLL I I Trust Process Reimaging and Endpoint Security Solution Bypass Eoin Carroll Senior Security Researcher Hack in Paris 2019 McAfee ATR

  2. Attribution sacré bleu Eoin Carroll Steve Povolny Steve Hearnden Cedric Cochin

  3. About me @w3knight Security Researcher Semi-Conductor SW Security Engineer Medical Device Electronic Engineer Electronic Engineer Appsec Pentester Security Team Lead Security Mgr Security Architect 2000 2007 2011 2018

  4. The next 40 minutes… • Process Reimaging Overview • AV scanners and Process Reimaging • Mitre ATT&CK and Defensive Evasion • Process Reimaging Prerequisite and Attack Vectors • Process Reimaging Weaponization • Windows Kernel APIs + Process Reimaging Deep Dive • Windows Defender bypass demo • Impact and Protection Recommendations

  5. Process Reimaging Overview • Process Reputation and Trust verification bypass • Impacts non-EDR Endpoint Security Solutions using NTDLL APIs such as K32GetProcessImageFilename • Equivalent in impact to Process Hollowing or Process Doppelganging within the Mitre Attack Defense Evasion Category • Malicious Process can dwell on Endpoint until reboot or full scan post signature update

  6. Antivirus Scanner Detection Points 1. FileCreate • Signature == detects @ 1,2,4 2. Section Create 3. Cleanup 4. ImageLoad 5. CloseFile

  7. Antivirus Scanner Detection Points 1. FileCreate • Signature == detects @ 1,2,4 2. Section Create • No Signature == depends on OS for 3. Cleanup running process attribute verification @ 4 4. ImageLoad 5. CloseFile

  8. Antivirus Scanner Detection Points 1. FileCreate • Signature == detects @ 1,2,4 2. Section Create • No Signature == depends on OS for 3. Cleanup running process attribute verification @ 4 4. ImageLoad Process Reimaging Definition 5. CloseFile “Windows Kernel APIs return stale and inconsistent FILE_OBJECT paths which enable an adversary to bypass Windows Operating System Process attribute verification”

  9. Mitre ATT&CK

  10. Mitre ATT&CK

  11. Subverting Trust

  12. Subverting Trust Digital Signature Validation

  13. Subverting Trust Digital Signature Validation Process Attribute Verification

  14. May 2018 – SynAck Ransomware

  15. SynAck – Process Hollowing Initial Access Execution Defense Evasion Acting on Objectives Obfuscated Trojan Drive-by-Compromise Dropper Dropper Location SynAck.exe Phishing msiexec.exe msiexec.exe Endpoint Security Solution (ESS)

  16. SynAck – Process Hollowing Initial Access Execution Defense Evasion Acting on Objectives Obfuscated Trojan Drive-by-Compromise Dropper 1. Process created with trusted binary Dropper Location SynAck.exe Phishing msiexec.exe msiexec.exe CreateProcess Create_Suspended Endpoint Security Solution (ESS)

  17. SynAck – Process Hollowing Initial Access Execution Defense Evasion Acting on Objectives Obfuscated Trojan Drive-by-Compromise Dropper 1. Process created with trusted binary 2. Process Hollowing with malicious code Dropper Location SynAck.exe Phishing msiexec.exe msiexec.exe CreateProcess Create_Suspended NtUnmapViewOfSection VirtualAllocEx Malicious PE WriteProcessMemory ResumeThread Endpoint Security Solution (ESS)

  18. SynAck – Process Hollowing Initial Access Execution Defense Evasion Acting on Objectives Obfuscated Trojan Drive-by-Compromise Dropper 1. Process created with trusted binary 2. Process Hollowing with malicious code Dropper Location SynAck.exe Phishing msiexec.exe msiexec.exe CreateProcess Create_Suspended NtUnmapViewOfSection VirtualAllocEx Malicious PE WriteProcessMemory ResumeThread Protection failed to detect obfuscated dropper Endpoint Security Solution (ESS)

  19. SynAck – Process Hollowing Initial Access Execution Defense Evasion Acting on Objectives Obfuscated Trojan Drive-by-Compromise Dropper 1. Process created with trusted binary 2. Process Hollowing with malicious code Dropper Location SynAck.exe Phishing msiexec.exe msiexec.exe CreateProcess Create_Suspended NtUnmapViewOfSection VirtualAllocEx Malicious PE WriteProcessMemory ResumeThread Protection failed to detect obfuscated dropper Signatures updated Endpoint Security Solution (ESS)

  20. SynAck – Process Hollowing Initial Access Execution Defense Evasion Acting on Objectives Obfuscated Trojan Drive-by-Compromise Dropper 1. Process created with trusted binary 2. Process Hollowing with malicious code Dropper Location SynAck.exe Phishing msiexec.exe msiexec.exe CreateProcess Create_Suspended NTDLL API for Process Image Query NtUnmapViewOfSection VirtualAllocEx Malicious PE WriteProcessMemory ResumeThread Protection failed to detect obfuscated dropper Signatures updated Endpoint Security Solution (ESS)

  21. SynAck – Process Hollowing Initial Access Execution Defense Evasion Acting on Objectives Obfuscated Trojan Drive-by-Compromise Dropper 1. Process created with trusted binary 2. Process Hollowing with malicious code Dropper Location SynAck.exe Phishing msiexec.exe msiexec.exe CreateProcess Create_Suspended NTDLL API for Process Image Query NtUnmapViewOfSection VirtualAllocEx msiexec.exe Malicious PE WriteProcessMemory ResumeThread Protection failed to detect obfuscated dropper Signatures updated Endpoint Security Solution (ESS)

  22. SynAck – Process Doppelganging Initial Access Execution Defense Evasion Acting on Objectives Obfuscated Trojan Drive-by-Compromise Dropper 1. Trusted Binary transacted as Malicious PE Dropper Location SynAck.exe Phishing msiexec.exe msiexec.exe CreateTransaction CreateFileTransacted Endpoint Security Solution (ESS)

  23. SynAck – Process Doppelganging Initial Access Execution Defense Evasion Acting on Objectives Obfuscated Trojan Drive-by-Compromise Dropper 1. Trusted Binary transacted as Malicious PE 2. Create Sections from transacted Malicious PE Dropper Location SynAck.exe Phishing msiexec.exe msiexec.exe CreateTransaction CreateFileTransacted WriteFile CreateSection Malicious PE Endpoint Security Solution (ESS)

  24. SynAck – Process Doppelganging Initial Access Execution Defense Evasion Acting on Objectives Obfuscated Trojan Drive-by-Compromise Dropper 1. Trusted Binary transacted as Malicious PE 2. Create Sections from transacted Malicious PE Dropper Location 3. Rollback transaction removes changes from Filesystem SynAck.exe Phishing msiexec.exe msiexec.exe CreateTransaction CreateFileTransacted WriteFile CreateSection Malicious PE RollBackTransaction NtCreateProcess ResumeThread Endpoint Security Solution (ESS)

  25. SynAck – Process Doppelganging Initial Access Execution Defense Evasion Acting on Objectives Obfuscated Trojan Drive-by-Compromise Dropper 1. Trusted Binary transacted as Malicious PE 2. Create Sections from transacted Malicious PE Dropper Location 3. Rollback transaction removes changes from Filesystem SynAck.exe Phishing msiexec.exe msiexec.exe CreateTransaction CreateFileTransacted WriteFile CreateSection Malicious PE RollBackTransaction NtCreateProcess ResumeThread Protection failed to detect obfuscated dropper Endpoint Security Solution (ESS)

  26. SynAck – Process Doppelganging Initial Access Execution Defense Evasion Acting on Objectives Obfuscated Trojan Drive-by-Compromise Dropper 1. Trusted Binary transacted as Malicious PE 2. Create Sections from transacted Malicious PE Dropper Location 3. Rollback transaction removes changes from Filesystem SynAck.exe Phishing msiexec.exe msiexec.exe CreateTransaction CreateFileTransacted WriteFile CreateSection Malicious PE RollBackTransaction NtCreateProcess ResumeThread Protection failed to detect obfuscated dropper Signatures updated Endpoint Security Solution (ESS)

  27. SynAck – Process Doppelganging Initial Access Execution Defense Evasion Acting on Objectives Obfuscated Trojan Drive-by-Compromise Dropper 1. Trusted Binary transacted as Malicious PE 2. Create Sections from transacted Malicious PE Dropper Location 3. Rollback transaction removes changes from Filesystem SynAck.exe Phishing msiexec.exe msiexec.exe CreateTransaction CreateFileTransacted NTDLL API for Process Image Query WriteFile CreateSection Malicious PE RollBackTransaction NtCreateProcess ResumeThread Protection failed to detect obfuscated dropper Signatures updated Endpoint Security Solution (ESS)

  28. SynAck – Process Doppelganging Initial Access Execution Defense Evasion Acting on Objectives Obfuscated Trojan Drive-by-Compromise Dropper 1. Trusted Binary transacted as Malicious PE 2. Create Sections from transacted Malicious PE Dropper Location 3. Rollback transaction removes changes from Filesystem SynAck.exe Phishing msiexec.exe msiexec.exe CreateTransaction CreateFileTransacted NTDLL API for Process Image Query WriteFile CreateSection msiexec.exe Malicious PE RollBackTransaction NtCreateProcess ResumeThread Protection failed to detect obfuscated dropper Signatures updated Endpoint Security Solution (ESS)

Recommend

1 Panda Endpoint Protection Suites Index: A New Endpoint Environment A New Endpoint

1 Panda Endpoint Protection Suites Index: A New Endpoint Environment A New Endpoint

1 Panda Endpoint Protection Suites Index: A New Endpoint Environment A New Endpoint Solution t A New Endpoint Environment i i t E E d A N The New Endpoint Reality Increasing Malware Risk 2M malware signatures identified

515 views • 14 slides
PATA Destination Marketing Forum 2019 Redefining a Destination Reviving the past to reimaging

PATA Destination Marketing Forum 2019 Redefining a Destination Reviving the past to reimaging

1 PATA Destination Marketing Forum 2019 Redefining a Destination Reviving the past to reimaging the future Session 2: The Case for Universal Design Pattaya Thailand Ar. Joseph Kwan 29 November 2019 UN Convention on Rights of Persons

849 views • 48 slides
Agenda Why we need a new approach to endpoint security Introducing Sophos Intercept X

Agenda Why we need a new approach to endpoint security Introducing Sophos Intercept X

Agenda Why we need a new approach to endpoint security Introducing Sophos Intercept X Demonstration / Feature Walk Through Deployment Options Q & A 2 Endpoint Security has reached a Tipping Point Attacks are from within the

937 views • 29 slides
Trust Speak Overview with dialogue all along the way: Definition of trust Three

Trust Speak Overview with dialogue all along the way: Definition of trust Three

Trust Speak Overview with dialogue all along the way: Definition of trust Three roads to trust: 1. Personal: one-on-one 2. Strategy: confidence in what we are doing 3. Process: how things are done Four principles

529 views • 4 slides
PacketLab: A Universal Measurement Endpoint Interface Tzu-Bin Yan with Michael Chen, Lamya

PacketLab: A Universal Measurement Endpoint Interface Tzu-Bin Yan with Michael Chen, Lamya

PacketLab: A Universal Measurement Endpoint Interface Tzu-Bin Yan with Michael Chen, Lamya Alowain, Kirill Levchenko, Amogh Dhamdhere, Bradley Huffaker, kc claffy, Mark Allman, Vern Paxson Quick Recap A measurement endpoint interface

480 views • 15 slides
Endpoint resolvent estimates for compact Riemannian manifolds joint work with R. L. Frank to

Endpoint resolvent estimates for compact Riemannian manifolds joint work with R. L. Frank to

Endpoint resolvent estimates for compact Riemannian manifolds joint work with R. L. Frank to appear in J. Funct. Anal. (arXiv:1611.00462) Lukas Schimmer California Institute of Technology 13 February 2017 Schimmer (Caltech) Endpoint resolvent

274 views • 16 slides
Analysis of a Composite Endpoint with Missing Data in Components Hui Quan, Daowen Zhang, Ji Zhang

Analysis of a Composite Endpoint with Missing Data in Components Hui Quan, Daowen Zhang, Ji Zhang

Analysis of a Composite Endpoint with Missing Data in Components Hui Quan, Daowen Zhang, Ji Zhang & Laure Devlamynck Sanofi-Aventis February 2007 Rutgers Biostatistics Day 1 Outline The use of composite endpoint The case of two

397 views • 29 slides
Activated Charcoal Making Sense of Endpoint Data Company Confidential Greg Foss Sarah Miller

Activated Charcoal Making Sense of Endpoint Data Company Confidential Greg Foss Sarah Miller

Powered by Activated Charcoal Making Sense of Endpoint Data Company Confidential Greg Foss Sarah Miller Head of Global Security Operations Threat Intelligence Analyst LogRhythm Carbon Black The Endpoint is the new Perimeter The easiest

828 views • 62 slides
The Search for an Optimal Immunological Surrogate Endpoint in Randomized Vaccine Efficacy Trials

The Search for an Optimal Immunological Surrogate Endpoint in Randomized Vaccine Efficacy Trials

Surrogate Endpoint Frameworks Optimal Surrogate Framework Simulation Studies Application to Dengue Trials Discussion The Search for an Optimal Immunological Surrogate Endpoint in Randomized Vaccine Efficacy Trials Peter Gilbert, Brenda

1.62k views • 119 slides
iPanSec.com SOAPA Dashboard Smart InfoSec Automation Zero Trust Assurance Suite SOAPA

iPanSec.com SOAPA Dashboard Smart InfoSec Automation Zero Trust Assurance Suite SOAPA

iPanSec.com SOAPA Dashboard Smart InfoSec Automation Zero Trust Assurance Suite SOAPA Dashboard Integrated with Network Layer (PacketX , UPAS) Field WiFi /BLE /ZigBee Layer (ArcRan iSecMaster) Endpoint Layer (Comodo)

549 views • 13 slides
FT Consultation An NHS Foundation Trust The Trust is applying to become an NHS Foundation Trust

FT Consultation An NHS Foundation Trust The Trust is applying to become an NHS Foundation Trust

FT Consultation An NHS Foundation Trust The Trust is applying to become an NHS Foundation Trust Your Local Mental Health NHS Trust Implementation of Involvement Agenda National accreditation for Memory Service Team (Bloxwich Hospital)

763 views • 14 slides
PGP web of trust Web of trust From:

PGP web of trust Web of trust From:

PGP web of trust Web of trust From: h2p://pgp.cs.uu.nl/plot/ The PGP web of trust can be viewed as a directed graph where the points are

558 views • 10 slides
THE SRF LOAN PROCESS April 2018 Massachusetts Clean Water Trust 1 Sue Perez Steven McCurdy

THE SRF LOAN PROCESS April 2018 Massachusetts Clean Water Trust 1 Sue Perez Steven McCurdy

STEPS TO COMPLETING THE SRF LOAN PROCESS April 2018 Massachusetts Clean Water Trust 1 Sue Perez Steven McCurdy Nate Keenan Ashraf Gabour Joshua Derouen Don St. Marie Jonathan Maple Massachusetts Clean Water Trust 2 Why Borrow from the

220 views • 19 slides
Common Endpoint Locator Pools Common Endpoint Locator Pools Common Endpoint Locator Pools (CELP)

Common Endpoint Locator Pools Common Endpoint Locator Pools Common Endpoint Locator Pools (CELP)

Common Endpoint Locator Pools Common Endpoint Locator Pools Common Endpoint Locator Pools (CELP) (CELP) (CELP) draft-crocker-celp draft-crocker-celp Dave Crocker Dave Crocker Avri Doria Avri Doria Multiple

225 views • 5 slides
Building Trust through Verification I am very pleased with the process Aerofied has presented

Building Trust through Verification I am very pleased with the process Aerofied has presented

Building Trust through Verification I am very pleased with the process Aerofied has presented to me, which in turn has saved my buyers hours of searching for what Aerofied already had available or have easily found. I think you will find

338 views • 13 slides
CTP-543, an Oral JAK Inhibitor, Achieves Primary Endpoint in Phase 2 Randomized,

CTP-543, an Oral JAK Inhibitor, Achieves Primary Endpoint in Phase 2 Randomized,

European Academy of Dermatology and Venereology Annual Congress October 12, 2019 CTP-543, an Oral JAK Inhibitor, Achieves Primary Endpoint in Phase 2 Randomized, Placebo-Controlled Dose-Ranging Trial in Patients with Moderate-to-Severe Alopecia

782 views • 20 slides
The endpoint multilinear Kakeya theorem via the BorsukUlam/LusternikSchnirelmann theorem

The endpoint multilinear Kakeya theorem via the BorsukUlam/LusternikSchnirelmann theorem

. . . . . . . . . . . . . . . . The endpoint multilinear Kakeya theorem via the BorsukUlam/LusternikSchnirelmann theorem After L. Guth, A. Carbery, I. Valdimarsson Pavel Zorin-Kranich University of Bonn Kopp, October 2017

327 views • 20 slides
Temet Nosce: Know Thy Endpoint Through and Through Thomas V. Fischer I am Threat

Temet Nosce: Know Thy Endpoint Through and Through Thomas V. Fischer I am Threat

Temet Nosce: Know Thy Endpoint Through and Through Thomas V. Fischer I am Threat Researcher 25+ years experience in InfoSec Spent number years in IR team positions Director @BSidesLondon Contact

412 views • 17 slides
Newcastle Parks Trust Governance July 2018 Articles of Association Newcastle Parks Trust

Newcastle Parks Trust Governance July 2018 Articles of Association Newcastle Parks Trust

Newcastle Parks Trust Governance July 2018 Articles of Association Newcastle Parks Trust During the ongoing consultation process it was agreed that the Council would share details of the governance arrangements for Newcastle Parks Trust

197 views • 19 slides
Windows endpoint analytics Why uberAgent in one word visibility Why uberAgent in one

Windows endpoint analytics Why uberAgent in one word visibility Why uberAgent in one

Helge Klein, vast limits Security visibility through Windows endpoint analytics Why uberAgent in one word visibility Why uberAgent in one slide Everybody monitors servers But what about the end users device? Organizations

582 views • 31 slides
Evaluating Effectiveness of an Embedded System Endpoint Security Technology on EDS Michael

Evaluating Effectiveness of an Embedded System Endpoint Security Technology on EDS Michael

Evaluating Effectiveness of an Embedded System Endpoint Security Technology on EDS Michael Siegel, Gregory Falco, Keman Huang, Weilian Chu, Elizabeth Reilly, Mayukha Vadari 1 Digitization of Industrial Sector Increased demand on

392 views • 15 slides
Novel Composite Endpoint Extended Analysis During Extension of Ibudilast Phase 1 b / 2 a Clinical

Novel Composite Endpoint Extended Analysis During Extension of Ibudilast Phase 1 b / 2 a Clinical

NCT02238626 C22 Novel Composite Endpoint Extended Analysis During Extension of Ibudilast Phase 1 b / 2 a Clinical Trial Better Predicts Post-Wash-Out Survival Benjamin Rix Brooks 1, 6 MD, Elena K Bravver 1,6 MD, Mohammed Sanjak 1, 2, 6 PhD, PT,

490 views • 35 slides
The Mixed Blessing of a Deregulatory Endpoint for the Public Switched Telephone Network A

The Mixed Blessing of a Deregulatory Endpoint for the Public Switched Telephone Network A

The Mixed Blessing of a Deregulatory Endpoint for the Public Switched Telephone Network A Presentation at the 3 rd Workshop on Internet Economics: Definitions and Data University of California at San Diego December 12, 2012 Rob Frieden,

473 views • 12 slides
NSF Activities in Cyber Trust NSF Activities in Cyber Trust NSF Activities in Cyber Trust For

NSF Activities in Cyber Trust NSF Activities in Cyber Trust NSF Activities in Cyber Trust For

NSF Activities in Cyber Trust NSF Activities in Cyber Trust NSF Activities in Cyber Trust For ACM CCS I ndustry/ Govt Track Oct. 26, 2004 Carl Landwehr ( clandweh@nsf.gov ) Cyber Trust Coordinator National Science Foundation What s the

439 views • 17 slides

More recommend