in in ntdll i i trust process reimaging and endpoint
play

In In NTDLL I I Trust Process Reimaging and Endpoint Security - PowerPoint PPT Presentation

Feb 01, 2024 •220 likes •848 views

In In NTDLL I I Trust Process Reimaging and Endpoint Security Solution Bypass Eoin Carroll Senior Security Researcher Hack in Paris 2019 McAfee ATR Attribution sacr bleu Eoin Carroll Steve Povolny Steve Hearnden Cedric Cochin About

  1. In In NTDLL I I Trust Process Reimaging and Endpoint Security Solution Bypass Eoin Carroll Senior Security Researcher Hack in Paris 2019 McAfee ATR

  2. Attribution sacré bleu Eoin Carroll Steve Povolny Steve Hearnden Cedric Cochin

  3. About me @w3knight Security Researcher Semi-Conductor SW Security Engineer Medical Device Electronic Engineer Electronic Engineer Appsec Pentester Security Team Lead Security Mgr Security Architect 2000 2007 2011 2018

  4. The next 40 minutes… • Process Reimaging Overview • AV scanners and Process Reimaging • Mitre ATT&CK and Defensive Evasion • Process Reimaging Prerequisite and Attack Vectors • Process Reimaging Weaponization • Windows Kernel APIs + Process Reimaging Deep Dive • Windows Defender bypass demo • Impact and Protection Recommendations

  5. Process Reimaging Overview • Process Reputation and Trust verification bypass • Impacts non-EDR Endpoint Security Solutions using NTDLL APIs such as K32GetProcessImageFilename • Equivalent in impact to Process Hollowing or Process Doppelganging within the Mitre Attack Defense Evasion Category • Malicious Process can dwell on Endpoint until reboot or full scan post signature update

  6. Antivirus Scanner Detection Points 1. FileCreate • Signature == detects @ 1,2,4 2. Section Create 3. Cleanup 4. ImageLoad 5. CloseFile

  7. Antivirus Scanner Detection Points 1. FileCreate • Signature == detects @ 1,2,4 2. Section Create • No Signature == depends on OS for 3. Cleanup running process attribute verification @ 4 4. ImageLoad 5. CloseFile

  8. Antivirus Scanner Detection Points 1. FileCreate • Signature == detects @ 1,2,4 2. Section Create • No Signature == depends on OS for 3. Cleanup running process attribute verification @ 4 4. ImageLoad Process Reimaging Definition 5. CloseFile “Windows Kernel APIs return stale and inconsistent FILE_OBJECT paths which enable an adversary to bypass Windows Operating System Process attribute verification”

  9. Mitre ATT&CK

  10. Mitre ATT&CK

  11. Subverting Trust

  12. Subverting Trust Digital Signature Validation

  13. Subverting Trust Digital Signature Validation Process Attribute Verification

  14. May 2018 – SynAck Ransomware

  15. SynAck – Process Hollowing Initial Access Execution Defense Evasion Acting on Objectives Obfuscated Trojan Drive-by-Compromise Dropper Dropper Location SynAck.exe Phishing msiexec.exe msiexec.exe Endpoint Security Solution (ESS)

  16. SynAck – Process Hollowing Initial Access Execution Defense Evasion Acting on Objectives Obfuscated Trojan Drive-by-Compromise Dropper 1. Process created with trusted binary Dropper Location SynAck.exe Phishing msiexec.exe msiexec.exe CreateProcess Create_Suspended Endpoint Security Solution (ESS)

  17. SynAck – Process Hollowing Initial Access Execution Defense Evasion Acting on Objectives Obfuscated Trojan Drive-by-Compromise Dropper 1. Process created with trusted binary 2. Process Hollowing with malicious code Dropper Location SynAck.exe Phishing msiexec.exe msiexec.exe CreateProcess Create_Suspended NtUnmapViewOfSection VirtualAllocEx Malicious PE WriteProcessMemory ResumeThread Endpoint Security Solution (ESS)

  18. SynAck – Process Hollowing Initial Access Execution Defense Evasion Acting on Objectives Obfuscated Trojan Drive-by-Compromise Dropper 1. Process created with trusted binary 2. Process Hollowing with malicious code Dropper Location SynAck.exe Phishing msiexec.exe msiexec.exe CreateProcess Create_Suspended NtUnmapViewOfSection VirtualAllocEx Malicious PE WriteProcessMemory ResumeThread Protection failed to detect obfuscated dropper Endpoint Security Solution (ESS)

  19. SynAck – Process Hollowing Initial Access Execution Defense Evasion Acting on Objectives Obfuscated Trojan Drive-by-Compromise Dropper 1. Process created with trusted binary 2. Process Hollowing with malicious code Dropper Location SynAck.exe Phishing msiexec.exe msiexec.exe CreateProcess Create_Suspended NtUnmapViewOfSection VirtualAllocEx Malicious PE WriteProcessMemory ResumeThread Protection failed to detect obfuscated dropper Signatures updated Endpoint Security Solution (ESS)

  20. SynAck – Process Hollowing Initial Access Execution Defense Evasion Acting on Objectives Obfuscated Trojan Drive-by-Compromise Dropper 1. Process created with trusted binary 2. Process Hollowing with malicious code Dropper Location SynAck.exe Phishing msiexec.exe msiexec.exe CreateProcess Create_Suspended NTDLL API for Process Image Query NtUnmapViewOfSection VirtualAllocEx Malicious PE WriteProcessMemory ResumeThread Protection failed to detect obfuscated dropper Signatures updated Endpoint Security Solution (ESS)

  21. SynAck – Process Hollowing Initial Access Execution Defense Evasion Acting on Objectives Obfuscated Trojan Drive-by-Compromise Dropper 1. Process created with trusted binary 2. Process Hollowing with malicious code Dropper Location SynAck.exe Phishing msiexec.exe msiexec.exe CreateProcess Create_Suspended NTDLL API for Process Image Query NtUnmapViewOfSection VirtualAllocEx msiexec.exe Malicious PE WriteProcessMemory ResumeThread Protection failed to detect obfuscated dropper Signatures updated Endpoint Security Solution (ESS)

  22. SynAck – Process Doppelganging Initial Access Execution Defense Evasion Acting on Objectives Obfuscated Trojan Drive-by-Compromise Dropper 1. Trusted Binary transacted as Malicious PE Dropper Location SynAck.exe Phishing msiexec.exe msiexec.exe CreateTransaction CreateFileTransacted Endpoint Security Solution (ESS)

  23. SynAck – Process Doppelganging Initial Access Execution Defense Evasion Acting on Objectives Obfuscated Trojan Drive-by-Compromise Dropper 1. Trusted Binary transacted as Malicious PE 2. Create Sections from transacted Malicious PE Dropper Location SynAck.exe Phishing msiexec.exe msiexec.exe CreateTransaction CreateFileTransacted WriteFile CreateSection Malicious PE Endpoint Security Solution (ESS)

  24. SynAck – Process Doppelganging Initial Access Execution Defense Evasion Acting on Objectives Obfuscated Trojan Drive-by-Compromise Dropper 1. Trusted Binary transacted as Malicious PE 2. Create Sections from transacted Malicious PE Dropper Location 3. Rollback transaction removes changes from Filesystem SynAck.exe Phishing msiexec.exe msiexec.exe CreateTransaction CreateFileTransacted WriteFile CreateSection Malicious PE RollBackTransaction NtCreateProcess ResumeThread Endpoint Security Solution (ESS)

  25. SynAck – Process Doppelganging Initial Access Execution Defense Evasion Acting on Objectives Obfuscated Trojan Drive-by-Compromise Dropper 1. Trusted Binary transacted as Malicious PE 2. Create Sections from transacted Malicious PE Dropper Location 3. Rollback transaction removes changes from Filesystem SynAck.exe Phishing msiexec.exe msiexec.exe CreateTransaction CreateFileTransacted WriteFile CreateSection Malicious PE RollBackTransaction NtCreateProcess ResumeThread Protection failed to detect obfuscated dropper Endpoint Security Solution (ESS)

  26. SynAck – Process Doppelganging Initial Access Execution Defense Evasion Acting on Objectives Obfuscated Trojan Drive-by-Compromise Dropper 1. Trusted Binary transacted as Malicious PE 2. Create Sections from transacted Malicious PE Dropper Location 3. Rollback transaction removes changes from Filesystem SynAck.exe Phishing msiexec.exe msiexec.exe CreateTransaction CreateFileTransacted WriteFile CreateSection Malicious PE RollBackTransaction NtCreateProcess ResumeThread Protection failed to detect obfuscated dropper Signatures updated Endpoint Security Solution (ESS)

  27. SynAck – Process Doppelganging Initial Access Execution Defense Evasion Acting on Objectives Obfuscated Trojan Drive-by-Compromise Dropper 1. Trusted Binary transacted as Malicious PE 2. Create Sections from transacted Malicious PE Dropper Location 3. Rollback transaction removes changes from Filesystem SynAck.exe Phishing msiexec.exe msiexec.exe CreateTransaction CreateFileTransacted NTDLL API for Process Image Query WriteFile CreateSection Malicious PE RollBackTransaction NtCreateProcess ResumeThread Protection failed to detect obfuscated dropper Signatures updated Endpoint Security Solution (ESS)

  28. SynAck – Process Doppelganging Initial Access Execution Defense Evasion Acting on Objectives Obfuscated Trojan Drive-by-Compromise Dropper 1. Trusted Binary transacted as Malicious PE 2. Create Sections from transacted Malicious PE Dropper Location 3. Rollback transaction removes changes from Filesystem SynAck.exe Phishing msiexec.exe msiexec.exe CreateTransaction CreateFileTransacted NTDLL API for Process Image Query WriteFile CreateSection msiexec.exe Malicious PE RollBackTransaction NtCreateProcess ResumeThread Protection failed to detect obfuscated dropper Signatures updated Endpoint Security Solution (ESS)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 Panda Endpoint Protection Suites Index: A New Endpoint Environment A New Endpoint

1 Panda Endpoint Protection Suites Index: A New Endpoint Environment A New Endpoint

1 Panda Endpoint Protection Suites Index: A New Endpoint Environment A New Endpoint Solution t A New Endpoint Environment i i t E E d A N The New Endpoint Reality Increasing Malware Risk 2M malware signatures identified

515 views • 14 slides
PATA Destination Marketing Forum 2019 Redefining a Destination Reviving the past to reimaging

PATA Destination Marketing Forum 2019 Redefining a Destination Reviving the past to reimaging

1 PATA Destination Marketing Forum 2019 Redefining a Destination Reviving the past to reimaging the future Session 2: The Case for Universal Design Pattaya Thailand Ar. Joseph Kwan 29 November 2019 UN Convention on Rights of Persons

849 views • 48 slides
Agenda Why we need a new approach to endpoint security Introducing Sophos Intercept X

Agenda Why we need a new approach to endpoint security Introducing Sophos Intercept X

Agenda Why we need a new approach to endpoint security Introducing Sophos Intercept X Demonstration / Feature Walk Through Deployment Options Q & A 2 Endpoint Security has reached a Tipping Point Attacks are from within the

937 views • 29 slides
Trust Speak Overview with dialogue all along the way: Definition of trust Three

Trust Speak Overview with dialogue all along the way: Definition of trust Three

Trust Speak Overview with dialogue all along the way: Definition of trust Three roads to trust: 1. Personal: one-on-one 2. Strategy: confidence in what we are doing 3. Process: how things are done Four principles

529 views • 4 slides
PacketLab: A Universal Measurement Endpoint Interface Tzu-Bin Yan with Michael Chen, Lamya

PacketLab: A Universal Measurement Endpoint Interface Tzu-Bin Yan with Michael Chen, Lamya

PacketLab: A Universal Measurement Endpoint Interface Tzu-Bin Yan with Michael Chen, Lamya Alowain, Kirill Levchenko, Amogh Dhamdhere, Bradley Huffaker, kc claffy, Mark Allman, Vern Paxson Quick Recap A measurement endpoint interface

480 views • 15 slides
Endpoint resolvent estimates for compact Riemannian manifolds joint work with R. L. Frank to

Endpoint resolvent estimates for compact Riemannian manifolds joint work with R. L. Frank to

Endpoint resolvent estimates for compact Riemannian manifolds joint work with R. L. Frank to appear in J. Funct. Anal. (arXiv:1611.00462) Lukas Schimmer California Institute of Technology 13 February 2017 Schimmer (Caltech) Endpoint resolvent

274 views • 16 slides
Analysis of a Composite Endpoint with Missing Data in Components Hui Quan, Daowen Zhang, Ji Zhang

Analysis of a Composite Endpoint with Missing Data in Components Hui Quan, Daowen Zhang, Ji Zhang

Analysis of a Composite Endpoint with Missing Data in Components Hui Quan, Daowen Zhang, Ji Zhang & Laure Devlamynck Sanofi-Aventis February 2007 Rutgers Biostatistics Day 1 Outline The use of composite endpoint The case of two

397 views • 29 slides
Activated Charcoal Making Sense of Endpoint Data Company Confidential Greg Foss Sarah Miller

Activated Charcoal Making Sense of Endpoint Data Company Confidential Greg Foss Sarah Miller

Powered by Activated Charcoal Making Sense of Endpoint Data Company Confidential Greg Foss Sarah Miller Head of Global Security Operations Threat Intelligence Analyst LogRhythm Carbon Black The Endpoint is the new Perimeter The easiest

828 views • 62 slides
The Search for an Optimal Immunological Surrogate Endpoint in Randomized Vaccine Efficacy Trials

The Search for an Optimal Immunological Surrogate Endpoint in Randomized Vaccine Efficacy Trials

Surrogate Endpoint Frameworks Optimal Surrogate Framework Simulation Studies Application to Dengue Trials Discussion The Search for an Optimal Immunological Surrogate Endpoint in Randomized Vaccine Efficacy Trials Peter Gilbert, Brenda

1.62k views • 119 slides
iPanSec.com SOAPA Dashboard Smart InfoSec Automation Zero Trust Assurance Suite SOAPA

iPanSec.com SOAPA Dashboard Smart InfoSec Automation Zero Trust Assurance Suite SOAPA

iPanSec.com SOAPA Dashboard Smart InfoSec Automation Zero Trust Assurance Suite SOAPA Dashboard Integrated with Network Layer (PacketX , UPAS) Field WiFi /BLE /ZigBee Layer (ArcRan iSecMaster) Endpoint Layer (Comodo)

549 views • 13 slides
FT Consultation An NHS Foundation Trust The Trust is applying to become an NHS Foundation Trust

FT Consultation An NHS Foundation Trust The Trust is applying to become an NHS Foundation Trust

FT Consultation An NHS Foundation Trust The Trust is applying to become an NHS Foundation Trust Your Local Mental Health NHS Trust Implementation of Involvement Agenda National accreditation for Memory Service Team (Bloxwich Hospital)

763 views • 14 slides
PGP web of trust Web of trust From:

PGP web of trust Web of trust From:

PGP web of trust Web of trust From: h2p://pgp.cs.uu.nl/plot/ The PGP web of trust can be viewed as a directed graph where the points are

558 views • 10 slides
THE SRF LOAN PROCESS April 2018 Massachusetts Clean Water Trust 1 Sue Perez Steven McCurdy

THE SRF LOAN PROCESS April 2018 Massachusetts Clean Water Trust 1 Sue Perez Steven McCurdy

STEPS TO COMPLETING THE SRF LOAN PROCESS April 2018 Massachusetts Clean Water Trust 1 Sue Perez Steven McCurdy Nate Keenan Ashraf Gabour Joshua Derouen Don St. Marie Jonathan Maple Massachusetts Clean Water Trust 2 Why Borrow from the

220 views • 19 slides
Common Endpoint Locator Pools Common Endpoint Locator Pools Common Endpoint Locator Pools (CELP)

Common Endpoint Locator Pools Common Endpoint Locator Pools Common Endpoint Locator Pools (CELP)

Common Endpoint Locator Pools Common Endpoint Locator Pools Common Endpoint Locator Pools (CELP) (CELP) (CELP) draft-crocker-celp draft-crocker-celp Dave Crocker Dave Crocker Avri Doria Avri Doria Multiple

225 views • 5 slides
Building Trust through Verification I am very pleased with the process Aerofied has presented

Building Trust through Verification I am very pleased with the process Aerofied has presented

Building Trust through Verification I am very pleased with the process Aerofied has presented to me, which in turn has saved my buyers hours of searching for what Aerofied already had available or have easily found. I think you will find

338 views • 13 slides
CTP-543, an Oral JAK Inhibitor, Achieves Primary Endpoint in Phase 2 Randomized,

CTP-543, an Oral JAK Inhibitor, Achieves Primary Endpoint in Phase 2 Randomized,

European Academy of Dermatology and Venereology Annual Congress October 12, 2019 CTP-543, an Oral JAK Inhibitor, Achieves Primary Endpoint in Phase 2 Randomized, Placebo-Controlled Dose-Ranging Trial in Patients with Moderate-to-Severe Alopecia

782 views • 20 slides
Constructive Arithmetics in Ore Localizations with Enough Commutativity Johannes Hoffmann, Viktor

Constructive Arithmetics in Ore Localizations with Enough Commutativity Johannes Hoffmann, Viktor

Constructive Arithmetics in Ore Localizations with Enough Commutativity Johannes Hoffmann, Viktor Levandovskyy 1 RWTH Aachen University, Germany ISSAC 2018, New York 1 supported by DFG Transregio 195 Johannes Hoffmann (RWTH Aachen) Constructive

738 views • 62 slides
Pipelining: Its Natural! Laundry Example Ann, Brian, Cathy, Dave each have one load of

Pipelining: Its Natural! Laundry Example Ann, Brian, Cathy, Dave each have one load of

Pipelining: Its Natural! Laundry Example Ann, Brian, Cathy, Dave each have one load of clothes to wash, dry, and fold Washer takes 30 minutes, Dryer takes 40 minutes, Folder takes 20 minutes Pipelining doesnt help latency of 6

603 views • 25 slides
Data Mining and Machine Learning: Fundamental Concepts and Algorithms dataminingbook.info

Data Mining and Machine Learning: Fundamental Concepts and Algorithms dataminingbook.info

Data Mining and Machine Learning: Fundamental Concepts and Algorithms dataminingbook.info Mohammed J. Zaki 1 Wagner Meira Jr. 2 1 Department of Computer Science Rensselaer Polytechnic Institute, Troy, NY, USA 2 Department of Computer Science

488 views • 21 slides
{ name: "MongoDB", tags: [ "agile", "scalable", "noSQL",

{ name: "MongoDB", tags: [ "agile", "scalable", "noSQL",

{ name: "MongoDB", tags: [ "agile", "scalable", "noSQL", "non-relational", "non-scheme" ], speaker: " Radek imko " } ~ $ whoami facebook.com/ radeksimko twitter.com/

600 views • 22 slides
CSE443 Compilers Dr. Carl Alphonce alphonce@buffalo.edu 343 Davis Hall Annoucements

CSE443 Compilers Dr. Carl Alphonce alphonce@buffalo.edu 343 Davis Hall Annoucements

CSE443 Compilers Dr. Carl Alphonce alphonce@buffalo.edu 343 Davis Hall Annoucements Recitations - F2F w/ 490 at 2:00 in Baldy 110 Phases of a compiler Target machine code generation Figure 1.6, page 5 of text Code Transformations on

594 views • 42 slides
Outline Processors and Instruction Sets Review of pipelining MIPS

Outline Processors and Instruction Sets Review of pipelining MIPS

Advanced Topics on Heterogeneous System Architectures Pipelining Politecnico di Milano Seminar Room @ DEIB 30 November, 2017 Antonio R. Antonio R. Miele Miele Marco D. Santambrogio Marco D. Santambrogio Politecnico di

1.13k views • 74 slides
Strong Interactions and New Physics - LHC and operation (run-I, run-II) - ATLAS detector - QCD

Strong Interactions and New Physics - LHC and operation (run-I, run-II) - ATLAS detector - QCD

Results from ATLAS and CMS: Strong Interactions and New Physics - LHC and operation (run-I, run-II) - ATLAS detector - QCD - top-quark - Heavy Ion - new physics (BSM, Exotica) complementary ATLAS & CMS presentations at this workshop:

368 views • 36 slides
The Dover Architecture Hardware Enforcement of Software-Defined Security Policies Team: Greg

The Dover Architecture Hardware Enforcement of Software-Defined Security Policies Team: Greg

This Document Does Not Contain Controlled Technology or Technical Data Draper Proprietary The Dover Architecture Hardware Enforcement of Software-Defined Security Policies Team: Greg Sullivan (Draper) (presenting), Andr DeHon (UPenn), Eli

432 views • 19 slides

More recommend