File in Transaction: Htransactedfile = Createfiletransacted(“Svchost.Exe” , GENERIC WRITE | GENERIC READ, …, Htransaction, …) 3

THREAT HUNTING IN СALL TRACE

Andrey Skablonsky WHOAMI

• Senior Analyst @Kaspersky SOC R&D • Threat hunter • Ex- infosec admin • MSTU graduate • OSCP, GCTI

2 What is Threat hunting?

• Cyber threat hunting is the practice of searching iteratively through data to detect [advanced] threats that evade automatic security solutions

3 What is Threat hunting?

TTP-based based - TTPs* Tough! detection

TTP* detect Done automatically Tools Challenging by products

Networks/ Annoying Host Artifacts

Domain Names Simple signature, - Yara AM IP Addresses Easy

Hash Values Trivial

http://detect-respond.blogspot.mx/2013/03/the-pyramid-of-pain.html * TTP – tactics techniques and procedures 4 Process doppelgänging

• Attack technique was presented at BlackHat EU 2017 by Tal Liberman and Eugene Kogan (@enSilo); • Materials: https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction- Process-Doppelganging.pdf

5 Process doppelgänging

• Transactional NTFS (TxF) API: Transactional function Non transactional equivalent Description

CreateTransaction no Creation of transaction CreateFileTransacted CreateFile Creating (opening) a file CopyFileTransacted CopyFileEx Copy file MoveFileTransacted MoveFileWithProgress Moving a file or directory DeleteFileTransacted DeleteFile File deletion CreateDirectoryTransacted CreateDirectoryEx Create directory RemoveDirectoryTransacted RemoveDirectory Directory removal RollbackTransaction no Transaction rollback CommitTransaction no Transaction commit 6 Process doppelgänging

• Steps: 1. Create transasction: hTransaction = CreateTransaction(…); 2. Open “clean” file in transaction: hTransactedFile = CreateFileTransacted(“svchost.exe” , GENERIC_WRITE | GENERIC_READ, …, hTransaction, …) 3. Overwrite “clean” file with malicious file: WriteFile(hTransactedFile, MALICIOUS_EXE_BUFFER, …) 4. Create section from malicious file: NtCreateSection(&hSection, …, PAGE_READONLY, SEC_IMAGE, hTransactedFile); 5. Rollback transaction (“clean” file restored to disk): RollbackTransaction(hTransaction);

7 Process doppelgänging

• Steps (continue): 6. Create process and thread (NtCreateProcessEx receives handle to created earlier section): NtCreateProcessEx(&hProcess, …, hSection, …); NtCreateThreadEx(&hThread, …, hProcess, MALICIOUS_EXE_ENTRYPOINT, …); 7. Create process parameters: RtlCreateProcessParametersEx(&ProcessParams, ...) 8. Write parameters to the address space of created process: VirtualAllocEx(hProcess, &RemoteProcessParams, …, PAGE_READWRITE); WriteProcessMemory(hProcess, RemoteProcessParams, ProcessParams, …); WriteProcessMemory(hProcess, RemotePeb.ProcessParameters, &RemoteProcessParams, …); 9. Start of substituted process: NtResumeThread(hThread, …)

8 Process doppelgänging

• Demo, replace notepad with Mimikatz:

9 Process doppelgänging

10 Process doppelgänging

• Result:

11 What is call stack?

• Example program: main() calls function1() calls function2() … calls function6() Call stack: function6() function5() function4() function3() function2() function1() main()

12 What is call stack?

• Example program:

13 What is call stack?

14 What is call stack?

15 How to view the call stack?

Debugging tools:

16 How to view the call stack?

• Process explorer/hacker:

17 How to view the call stack?

• Sysmon event ID 10 (ProcessAccess):

18 How to view the call stack?

• ETW:

19 Event Tracing for Windows (ETW)

ETW architecture:

Controllers

Events

Event tracing sessions Log files

Events Real-time delivery Events Pro P Providers Consumers

20 Event Tracing for Windows (ETW) Windows Kernel Trace provider:

21 Event Tracing for Windows (ETW)

Libraries for working with ETW: -C++ https://github.com/microsoft/krabsetw -C# https://www.nuget.org/packages/Microsoft.Diagnostics.Tracing.TraceEvent/

22 Process doppelgänging. Detection with calltrace • Calltrace:

23 Process doppelgänging. Detection with calltrace • Calltrace:

24 Process doppelgänging. Detection with calltrace • Event enrichment:

25 Process doppelgänging. Detection with calltrace • Event enrichment:

26 Process doppelgänging. Detection with calltrace • Search:

• Tagged event:

27 Emotet spam emails

• Winword.exe with macro -> WmiPrvSe.exe -> powershell.exe

28 Emotet spam emails

• VBA macro starts process via WMI:

29 Emotet spam emails

• VBA macro starts process via WMI:

30 Emotet spam emails

• Winword calltrace:

31 Emotet spam emails

• Winword calltrace:

32 Emotet spam emails

• Event enrichment:

33 Emotet spam emails

• Event enrichment hunts:

34 Keylogger

• Random keylogger from Github:

35 Keylogger

• Keylogger’s work:

36 Keylogger

• Calltrace:

37 Keylogger

• Calltrace:

38 Keylogger

• Event enrichment (add “calltrace” field):

39 Keylogger

• Tagged event:

40 Metasploit Incognito module

• Attacker got shell on the victim:

41 Metasploit Incognito module

• How does it work? 1. Enumerate current access tokens of processes and their privileges in the system using: -OpenProcess; -OpenProcessToken; -OpenThreadToken; -GetTokenInformation; 2. Create a new access token that duplicates an existing token: -DuplicateTokenEx; 3. Impersonate the security context of a selected token: -ImpersonateLoggedOnUser(HANDLE hToken);

42 Metasploit Incognito module

• Use of Incognito “list_tokens” and “impersonate_token” commands – got “SYSTEM” token:

43 Metasploit Incognito module

• Calltrace:

44 Metasploit Incognito module

• Calltrace:

45 Metasploit Incognito module

• Tagged event:

46 Lateral movement via DCOM

• What is DCOM? • DCOM is a proprietary Microsoft technology that allows a computer to interact with COM objects on a remote computer • COM terms: -CLSID - Class Identifier. Unique identifier for a COM class; -ProgID - Programmatic Identifier. Optional “user friendly” identifier for a CLSID; -AppID - Application Identifier. Specifies the configuration (privileges) for COM objects associated with the same executable;

47 Lateral movement via DCOM

• Enumerate DCOM applications:

48 Lateral movement via DCOM. Excel

• Execution through “Microsoft Excel Application” DCOM object:

49 Lateral movement via DCOM. Excel

• Calltrace:

50 Lateral movement via DCOM. Excel

• Calltrace:

51 Lateral movement via DCOM. Excel

• Tagged event:

52 Lateral movement via DCOM. Shellbrowserwindow • Execution through “ShellBrowserWindow” DCOM object:

53 Lateral movement via DCOM. Shellbrowserwindow • Calltrace:

54 Lateral movement via DCOM. Shellbrowserwindow • Calltrace:

55 Lateral movement via DCOM. Shellbrowserwindow • Tagged event:

56 Summary

• We presented new approach for detecting malicious activity with calltraces; • We described methods for collection calltraces; • Several examples of detection with calltraces were shown

57 THANKS FOR ATTENTION

@author