惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

G
GRAHAM CLULEY
T
Tenable Blog
Know Your Adversary
Know Your Adversary
C
CXSECURITY Database RSS Feed - CXSecurity.com
P
Privacy International News Feed
S
Security Affairs
NISL@THU
NISL@THU
O
OpenAI News
Attack and Defense Labs
Attack and Defense Labs
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Hacker News: Ask HN
Hacker News: Ask HN
Webroot Blog
Webroot Blog
Schneier on Security
Schneier on Security
S
SegmentFault 最新的问题
S
Schneier on Security
G
Google Developers Blog
V
V2EX
C
Check Point Blog
U
Unit 42
Google DeepMind News
Google DeepMind News
T
Threatpost
阮一峰的网络日志
阮一峰的网络日志
T
The Exploit Database - CXSecurity.com
Recent Announcements
Recent Announcements
M
MIT News - Artificial intelligence
S
Secure Thoughts
博客园 - 司徒正美
Recorded Future
Recorded Future
P
Proofpoint News Feed
Spread Privacy
Spread Privacy
K
Kaspersky official blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
AI
AI
博客园 - 聂微东
N
News and Events Feed by Topic
SecWiki News
SecWiki News
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
V
Vulnerabilities – Threatpost
P
Palo Alto Networks Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Engineering at Meta
Engineering at Meta
Recent Commits to openclaw:main
Recent Commits to openclaw:main
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
酷 壳 – CoolShell
酷 壳 – CoolShell
WordPress大学
WordPress大学
The Hacker News
The Hacker News
The Last Watchdog
The Last Watchdog
Project Zero
Project Zero
W
WeLiveSecurity
博客园 - Franky

Black Hills Information Security, Inc.

Bad Habits: An ANTISOC Operation Same Problem, Different Angles: When Red Team and Blue Team Actually Talk to Each Other How to Identify and Exploit New Vulnerabilities Swapper – A Pure Regex Match/Replace Burp Extension A Practical Guide to BloodHound Data Collection Network Engineering Basics Signed, Trusted, and Abused: Proxy Execution via WebView2 Getting Started In Pentesting – Advice From The BHIS Pentest Lead Cloud Security: Tips and Resources for Securing the Cloud Lessons From A Chatbot Incident How to Lead Effective Tabletops Understanding GRC: How to Navigate Risks and Compliance Standards The “P” in PAM is for Persistence: Linux Persistence Technique Malware Analysis: How to Analyze and Understand Malware OSINT: How to Find, Use, and Control Open-Source Intelligence What to Do with Your First Home Lab When the SOC Goes to Deadwood: A Night to Remember Social Engineering and Microsoft SSPR: The Road to Pwnage is Paved with Good Intentions Common Cyber Threats Finding the Right Penetration Testing Company Deceptive-Auditing: An Active Directory Honeypots Tool The Curious Case of the Comburglar How to Set Smart Goals (That Actually Work For You) Inside the BHIS SOC: A Conversation with Hayden Covington Abusing Delegation with Impacket (Part 3): Resource-Based Constrained Delegation Why You Got Hacked – 2025 Super Edition Abusing Delegation with Impacket (Part 2): Constrained Delegation Abusing Delegation with Impacket (Part 1): Unconstrained Delegation GoSpoof – Turning Attacks into Intel Model Context Protocol (MCP) Bypassing WAFs Using Oversized Requests Getting Started with AI Hacking Part 2: Prompt Injection Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 2) DomCat: A Domain Categorization Tool Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 1) Microsoft Store and WinGet: Security Risks for Corporate Environments Default Web Content MailFail Commonly Abused Administrative Utilities: A Hidden Risk to Enterprise Security Stop Spoofing Yourself! Disabling M365 Direct Send Bypassing CSP with JSONP: Introducing JSONPeek and CSP B Gone Offensive Tooling Cheatsheets: An Infosec Survival Guide Resource DNS Triage Cheatsheet GraphRunner Cheatsheet Burp Suite Cheatsheet Impacket Cheatsheet Wireshark Cheatsheet Hashcat Cheatsheet EyeWitness Cheatsheet Nmap Cheatsheet Netcat (nc) Cheatsheet Hunt for Weak Spots in Your Wireless Network with Airodump-ng from the Aircrack-ng Suite Detecting ADCS Privilege Escalation Vulnerability Scanning with Nmap Getting Started with NetExec: Streamlining Network Discovery and Access How to Use Dirsearch Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 3: Arcanum Cyber Security Bot How to Design and Execute Effective Social Engineering Attacks by Phone Abusing S4U2Self for Active Directory Pivoting Why Use a Macro Pad? Espanso: Text Replacement, the Easy Way Caging Copilot: Lessons Learned in LLM Security Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 2: Copilot Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 1: Burpference Intercepting Traffic for Mobile Applications that Bypass the System Proxy How to Root Android Phones Communicating Security to the C-Suite: A Strategic Approach Offline Memory Forensics With Volatility Getting Started with AI Hacking: Part 1 Go-Spoof: A Tool for Cyber Deception How to Test Adversary-in-the-Middle Without Hacking Tools Canary in the Code: Alert()-ing on XSS Exploits How to Hack Wi-Fi with No Wi-Fi Why Your Org Needs a Penetration Test Program Burp Suite Extension: Copy For Light at the End of the Dark Web Wi-Fi Forge: Practice Wi-Fi Security Without Hardware Avoiding Dirty RAGs: Retrieval-Augmented Generation with Ollama and LangChain Gone Phishing: Installing GoPhish and Creating a Campaign 5 Things We Are Going to Continue to Ignore in 2025 John Strand’s 5 Phase Plan For Starting in Computer Security Questions From a Beginner Threat Hunter GRC for Security Managers: From Checklists to Influence AI Large Language Models and Supervised Fine Tuning Attack Tactics 9: Shadow Creds for PrivEsc w/ Kent & Jordan One Active Directory Account Can Be Your Best Early Warning Introduction to Zeek Log Analysis Indecent Exposure: Your Secrets are Showing Creating Burp Extensions: A Beginner’s Guide Pitting AI Against AI: Using PyRIT to Assess Large Language Models (LLMs) The Top Ten List of Why You Got Hacked This Year (2023/2024) ICS Hard Knocks: Mitigations to Scenarios Found in ICS/OT Backdoors & Breaches Intro to Data Analytics Using SQL Finding Access Control Vulnerabilities with Autorize The Detection Engineering Process Cyber Risk Lessons We Can Learn From Hurricane Preparedness Intro to Desktop Application Testing Methodology What Is Penetration Testing? Adversary in the Middle (AitM): Post-Exploitation Pentesting, Threat Hunting, and SOC: An Overview
Initial Access Operations Part 1: The Windows Endpoint Defense Technology Landscape
BHIS · 2024-02-23 · via Black Hills Information Security, Inc.

Security Consultant, Malware Researcher, New Technology Researcher Evangelist.

Today’s endpoint defense landscape on the Windows desktop platform is rich with product offerings of quite sophisticated capabilities. Beyond the world of antivirus products, Extended Detection and Response (XDR), and complementary behavioral analysis approaches provide a broad coverage of both initial access malware techniques, as well as post exploitation activity detection.

Anybody participating in Red Teaming activities today will tell you that gaining initial access through the execution of some binary artifact is much harder now than ever before. Even if access is gained on a Windows desktop platform, post exploitation activities by common command and control platforms are well studied and with well-instrumented defense responses in mature environments.

This enhanced endpoint defense posture has resulted in both Red Teamers and Threat Actors shifting tactics to other vulnerable areas such as cloud resource misconfiguration, team collaboration tools, software developer supply chains, and the ever-present credential (mis)management challenges that persist across 0road array of information technology solutions.

The defensive technique/technology list below is focused on defense product techniques with brief mention of integrated Windows features. There exists a host of other Windows Operating System security features, such as: Address Space Layout Randomization (ASLR) , Data Exception Prevention (DEP), and Control Flow Guard (CFG), for example, which is not the focus of this article.

Examples of defense technique coverage include items such as the following:

  • Static artifact analysis
  • Event tracing for Windows
  • Windows kernel notification callbacks
  • Windows DLL API hooking
  • Process Tree Analysis
  • Memory Page Scanning
  • Call Stack Tracing
  • Windows 10/11 hardware enforced stack protection
  • Kernel driver block listing

I won’t bother speaking about static artifact analysis too much, since it’s fairly self-evident, given entities like Virus Total and the like. Briefly, it is true to say that any static artifact with a high entropy score, i.e. large amounts of embedded encrypted data, will likely drive an immediate detection from most products.  Having said that, let’s cover some of these other techniques.

Event Tracing for Windows (ETW)

This technology implements tracing and event logging for both user mode applications and kernel driver activities. The Windows Event Tracing API is implemented in three components:

  1. Controllers which can start or stop event tracing sessions.
  2. Providers which supply the event data itself
  3. Consumers which consume the event data
Event Tracing Architecture
Source:
https://learn.microsoft.com/en-us/windows/win32/etw/about-event-tracing

There are three types of providers, Managed Object Format (MOF), Windows software trace preprocessor (WPP), and finally trace logging, which is what provides the ETW logging. Needless to say, if you subscribe as a consumer to ETW data, you will receive a huge volume of trace logging, which includes almost any Windows API call that can be made by an application and is quite literally a “fire hose” of information.

Windows Kernel Notification Callbacks

Back in the bad, old, Wild West days, many defense products would place redirection hooks into the System Service Descriptor Table (SSDT) to receive the necessary telemetry on application activities. Microsoft (rightfully) decided that they didn’t particularly like this technique, since any small 3rd party developer software defects could (and did) result in destabilizing the Windows kernel. When Windows Vista was released, Microsoft released an accompanying change called Patch Guard (Kernel Patch Protection) which enforced that 3rd party vendors could no longer place hooks into the SSDT among other things.

As you can imagine, many of the defense vendors did particular like the idea of a loss in telemetry, and thus, Microsoft did provide a feature called Kernel Notification Callbacks. This feature has been steadily enhanced since its initial release.

Kernel Notification Callbacks allowed a signed kernel driver to register a callback routine in order to receive notifications. At a high level, the different notifications include:

  • PsSetCreateProcessNotifyRoutine
    • Registers a callback routine for process creation events
  • PsSetCreateThreadNotifyRoutine
    • Registers a callback routine for thread creation events
  • PsSetLoadImageNotifyRoutine
    • Registers a callback routine for image load events
  • ObRegisterCallbacks
    • Registers a callback routine for object changes such as when a process, thread, or desktop handle is opened or duplicated.
  • CmRegisterCallback
    • Registers a callback routine for any Windows registry operations

Given this granularity of notification information, it should be no surprise that defense vendors used signed drivers that will leverage a number of the above notifications.

The advantage of doing this at a kernel level is a smaller chance of malware tampering with the callback registration or data.  Although be aware that signed and vulnerable kernel drivers exist that are not on the block list, which presents a risk of tampering.

Windows DLL API Hooking

API hooking has long been a technique to redirect code execution in a Windows user mode process. This can be performed on almost any loaded image/module in a process, but is, however, most commonly performed on “ntdll.dll”, which is always loaded along with “kernel32.dll” and now “kernelbase.dll”, in all application processes.

The Windows Native API is a set of application programming interfaces used in the Windows operating system. “ntdll.dll” is a dynamic-link library that contains a collection of functions that are part of the Windows native API.  “ntdll.dll” system calls (syscalls), are low-level functions that provide an interface between user-mode applications and the Windows kernel.

When a user-mode application needs to perform a privileged operation or interact with the operating system’s kernel, it makes a system call. Instead of directly invoking kernel functions, applications call functions within “ntdll.dll”, which in turn, makes the necessary system calls to the Windows kernel.

Let’s look at an example of the “ntdll.dll” API call “NtWriteVirtualMemory()”.  For the image below, I started up the Windows debugger (WinDBG) and a “notepad.exe” process (because we love picking on notepad).  After attaching the debugger to the process, I disassembled the API call.

First note that this is a 64-bit process, and we are staying there because there is a dwindling amount of 32-bit systems these days anyway. The first two machine code opcodes below are doing the following:

  • “mov r10,rcx”: save a copy of RCX in the R10 register
  • “mov eax,<syscall number>: move the system call number into the EAX register. (EAX is just a 32-bit notation for the RCX 64-bit register)
  • Next, there is a test to see whether we should be using the “int 0x2e” interrupt driven system call convention or the “syscall” instruction.  Either way, a system call is going to occur!

Now, because we can open any process that we have the appropriate security token rights to open, we can also overwrite virtual memory in a process.

As it turns out, we can replace the second opcode with a JMP instruction to redirect the code to a new memory location. Conveniently, a 32-bit short JMP instruction fits nicely into the 5 bytes available to us.

Overall, the sequence to hook an API in “ntdll.dll” for a defensive product might look something like this:

  1. The defensive product receives some kernel notification callback that it considers “interesting.”
  2. The defensive product opens the application process and injects into the process some code to load its own signed DLL module. Alternatively, the defensive product may be configured such that its own signed DLL module is loaded for all process creation, in which case, this step would be unnecessary.
  3. The defensive product finds the address of the “ntdll.dll” API of interest and overwrites the second opcode with a JMP instruction into code of the newly loaded DLL/module.
  4. Depending on the DLL loaded, some sort of defensive scanning actions or just further notification or even perhaps a direct blocking on the API call is made.  If not blocked, the defensive product DLL will move the correct SYSCALL number into the EAX register and then JMP back to the SYSCALL instruction of the original API.[ME1] 

“ntdll.dll” API hooking may or may not be implemented dynamically using kernel notification callbacks. In some instances, the defense product design might hook many of the “ntdll.dll” API’s upon an image load notification for all processes and leave them hooked for the lifetime of the processes.

Visually, the whole sequence can be represented as follows:

Event Driven API Hooking

Process Tree Analysis

The idea here is to create an internal representation of the running processes on a system and their hierarchical relationships. The parent child relationship data can be compared with a set of static rules, and/or processed through an artificial intelligence model in order to identify abnormal outliers. A simple example might be to consider the PowerShell process as potentially suspicious if it is a child process of an Excel spreadsheet. 

Memory Page Scanning

It is not uncommon for malware to allocate some pages of virtual memory, copy some machine code (shellcode) to that memory, set the page(s) to the PAGE_EXECUTE_READ permission and create a thread pointing to the start address of the memory allocated. Virtual memory is a memory management technique that provides an abstraction of the physical memory resource. On Windows, and many other operating systems, a page of virtual memory consists of 4096 contiguous allocated bytes.

The thread of execution created could be in the same running process that the malware started or could be injected into a foreign process accessed by the malware, assuming the security token of the malware process has sufficient rights to access the foreign process.

Defensive products can use the “ntdll.dll” API “NtQueryInformationThread()” to determine any process thread’s starting address. In addition, the kernel32.dll API “VirtualQuery()” or “VirtualQueryEx()” can be used to obtain allocated virtual memory properties. The “kernel32.dll” API functions ending in “Ex” are typically those which can access a tertiary process using an open process handle as opposed to the local process. It is also possible to use the “ntdll.dll” API call “NtReadVirtualMemory()” to directly examine memory contents itself.

Some easy detection opportunities arise from memory page scanning:

  • If virtual memory is allocated and protections are set to READ, WRITE, and EXECUTE, then it is pretty much guaranteed to be malicious.
    • The reason that READ, WRITE, and EXECUTE permissions on virtual memory pages is an indicator of compromise is related to how virtual memory is used in a typical Windows process. Executable machine code in say the “.text” section of a PE/COFF executable will typically be mapped into virtual memory pages set to READ and EXECUTE only.

      As the code in a process executes, memory is going to be modified either on a thread’s stack or the heap, with some additional fixed symbolic information mapped from the “.data” section of a PE/COFF module. In these use cases, we typically will see either READ ONLY permissions on virtual memory pages or READ/WRITE permissions.

  • If virtual memory is set to READ and EXECUTE and the memory is not backed by a DLL module image load when the thread is created, it is likely malicious.
  • Commonly used shellcode, like those in the Metasploit project, Cobalt Strike, and others, have distinct known memory patterns that can be directly matched. Detection methods have also included heap allocation scans for Cobalt Strike profile data for example.

Note: A related offensive evasion technique is to encrypt any heap data when a C2 client shellcode goes in/out of sleep mode.

Call Stack Tracing/Analysis

Whenever a process thread is created, a region of memory is always allocated for the thread’s stack. The stack is organized into stack frames whereby every function call creates a new frame. A stack frame will contain local variables belonging to the specific function, as well as a function return address.

As any code in a thread executes, its stack will grow and shrink as various functions are called. This means that at any point in time, the thread’s stack (sometimes referred to as the call stack) has a trail of evidence showing the sequence and depth of function calls.

Defensive products can use a kernel callback to trigger “call stack analysis,” which will unwind the call stack and most often check to see if any function calls were made from memory not backed by a DLL module/image loaded from disk.  

A related concept to this is exception handling information in which the “.pdata” section of a 64-bit PE/COFF image contains function table entries containing exception handling code on a per function basis.

From an offensive perspective, it is possible to write fake information into the call stack, making it look like all function calls are completely legitimate. This act will evade/defeat call stack tracing defenses.

Windows 10/11 Hardware Enforced Stack Protection

With the introduction of Windows 11, and appropriate processor support, there exists a new defensive technique called Hardware Enforced Stack Protection. This feature will only work if the underlying processor provides support, such as Intel’s Control-flow Enhancement Technology (CET) or AMD’s shadow stacks.

In short, for all running processes, the return address of any function call is pushed onto both the process thread’s call stack as well as a shadow stack maintained by the processor. Whenever a return instruction (RET) is encountered, the return addresses on both stacks are compared. If the addresses do not match then a control protection exception is issued. This exception is caught by the Windows kernel which in turn will terminate the offending process.

Source: https://www.intel.com/content/dam/develop/external/us/en/documents/catc17-introduction-intel-cet-844137.pdf

Using shadow stacks for comparing function return addresses provides a defense against Return Oriented Programming (ROP) gadget use, as well as any attempt to fake a call stack thereby making any call stack analysis more effective.

Within the same suite of protections, Intel has also implemented Indirect Branch Tracking (IBT), which is focused on defeating both Jump and Call Oriented Programming (COP/JOP) attack methods.

Kernel Driver Block Listing

One of the more attractive attacker targets that exists in the Microsoft Windows kernel environment is a signed driver that has a vulnerability.  With direct access to kernel memory via a vulnerable signed driver, any kernel mode data structure can be modified, including the ability to disable signed driver enforcement and load any custom driver that the attacker wishes to.

If a vulnerable driver already exists on an endpoint, some custom user mode application code can be written to exert control over that driver and perform further exploitation. If an attacker has privileges on a system, then an approach known as Bring Your Own Vulnerable Driver (BYOVD) can be used to install a driver for further exploitation. Once any level of control is established in the kernel, system security is completely compromised with no limits other than imagination for attacker capability.

Unfortunately, driver development is a non-trivial endeavor, and there is a lot of code sharing that occurs in the community. On top of this, there are numerous devices and drivers going back in time that are used in different environments. This is a rich area of exploitation for threat actors today.

As such, with the introduction of Windows 11 as of the 2022 update, Microsoft has enabled the vulnerable driver blocklist. Microsoft runs a program for vulnerable driver submissions, and updates the vulnerable driver blocklist with each major release of Windows (about twice a year). Microsoft also provides a way to manually update the list using the Windows defender application control policy.

Unfortunately, the Microsoft blocklist is far from comprehensive, and as you might imagine, it is very difficult to adequately maintain such a resource with so many devices and drivers in existence. Thus, there still exists many vulnerable and signed drivers today which are being actively exploited. Furthermore, there are lists of vulnerable drivers that are made available online.  One of these is here at https://www.loldrivers.io/

Conclusion

The list of techniques and descriptions above should now give you a good sense of why it is increasingly difficult to achieve a foothold on a Windows endpoint and perform post exploitation activities in a maturely instrumented environment. Having said that, initial access operations for Red Teamers are not impossible, just dependent on more sophisticated mature artifact generation techniques. In my opinion, achieving this requires an offensive DevOps approach. This is described in the next blog post, entitled “Initial Access Operations Part 2 – Offensive DevOps” (coming soon!).

Be sure to tune in next Thursday, 2/29, at 1pm EST for Joff’s webcast:

Exploring the Python “psutil” Module Under Windows w/ Joff Thyer

Learn more and register HERE!