[*]
The concept of this challenge is to establish beacons that are unpacked at runtime or operating within the context of one other course of.
To take action, I make use of the remark that beacons are likely to name Sleep between their callbacks. A name to sleep units the state of the thread to DelayExecution which is taken as a primary indiciator {that a} thread may be executing a beacon.
After enumerating all threads whose state is DelayExecution, a number of metrics are utilized to establish potential beacons
Metrics
- If the beacon doesn’t make use of file backed reminiscence, the callstack to NtDelayExecution contains reminiscence areas which cannot be related to a file on disk.
- If the beacon makes use of module stomping, one of many modules within the callstack to NtDelayExecution is modified
Tasks, corresponding to Threadstackspoofer, hook Sleep to spoof the callstack or to make use of one other method to attend between callbacks. Thus, I added two extra metrics:
- Inline Hooks of Sleep will be fingerprinted by enumerating reminiscence areas marked as personal (not shared) storing the .textual content phase of Kernel32. This additionally applies if the hook is eliminated briefly
- Since a beacon spends extra time ready for instructions than truly executing code, it may be fingerprinted by evaluating the fields
KernelTimeandUserTimeofSYSTEM_THREAD_INFORMATION. Initially I believed that the time sleeping would depend as time spent in Kernelmode, however it turned out the opposite method. I’m not positive why :’P Moreover, each fields enhance solely after the operator executed some instructions with the beacon. Additionally right here, I’m not positive why :’P
To lower false positives, I made a decision to thoughtful solely processes with loaded wininet.dll or winhttp.dll. Moreover, I needed to ignore jitted processes (.NET) and modifications to ntdll.dll which additionally appears to occur legitimately. Metric three and 4 are nonetheless utilized although.
Examples
Pattern non file backed beacon:
[!] Suspicious Course of: PhantomDllHollower.exe[*] Thread (9192) has State: DelayExecution and irregular calltrace:
NtDelayExecution -> C:WINDOWSSYSTEM32ntdll.dll
SleepEx -> C:WINDOWSSystem32KERNELBASE.dll
0x00007FF8C13A103F -> Unknown or modified module
0x000001E3C3F48FD0 -> Unknown or modified module
0x00007FF700000000 -> Unknown or modified module
0x00007FF7C00000BB -> Unknown or modified module
[*] Suspicious Sleep() discovered
[*] Sleep Time: 600s
Pattern beacon utilizing module stomping:
[!] Suspicious Course of: beacon.exe (5296)[*] Thread (2968) has State: DelayExecution and makes use of probably stomped module
[*] Probably stomped module: C:WindowsSYSTEM32xpsservices.dll
NtDelayExecution -> C:WindowsSYSTEM32ntdll.dll
SleepEx -> C:WindowsSystem32KERNELBASE.dll
DllGetClassObject -> C:WindowsSYSTEM32xpsservices.dll
[*] Suspicious Sleep() discovered
[*] Sleep Time: 5s
Pattern beacon inline hooking sleep
[!] Suspicious Course of: ThreadStackSpoofer.exe (4876). Probably hooked Sleep / Modifies Kernel32.dll
Identification of generic beaconing behaviour by evaluating KernelTime and UserTime:
[!] Suspicious Course of: ThreadStackSpoofer.exe (4876). Thread 1132 has state DelayExecution and spends 94% of the time in usermode
Misc
There are in fact some ways to bypass this challenge. 🙂
Credit
- forrestorr for documenting the detection of modified dlls based mostly on shared/personal reminiscence areas hyperlink
- waldoirc for common assist 🙂
[*]
