Dominic Chell 👻 Profile picture
Sep 26 10 tweets 3 min read Twitter logo Read on Twitter
Spent some time refreshing my memory on ETW TI tonight. As a red teamer it's really important to get a good understanding of what the defenders/EDRs can see. Using the excellent Havoc as an example, let's have a peak... Image
Firstly, to capture the ETW TI telemetry, I used - a neat little project that logs the THREATINT tasks to the system event loggithub.com/pathtofile/Sea…
Peaking in the the Sealighter log, we can see we're now receiving ETW TI telemetry, like the example below which is Edge calling the MapView apis to allocate: Image
In keeping with the current detection trends, this is probably legit as ETW TI gives us deep visibility in to the call stack, which traces back to backed memory: Image
Having a look at our injected Havoc demon, there's various events, including the VirtualProtect calls originating from thread 1080: Image
Probing deeper, we can see the page permissions are being flipped from PAGE_EXECUTE_READ to PAGE_READWRITE (sleep obfuscation?) based on the LastProtectionMask and ProtectionMask values: Image
Peering in to the call stack for this virtualprotect call we spot it originates back to unbacked memory, through ntdll to kernel space (indirect syscall or ntapi?) noting the absence of the kernel32 frame: Image
Popping our demon on to sleep 0, we can confirm our assumptions of the suspicious unbacked TID 1080 Image
TLDR ETW TI gives really deep visibility to what's going on - most of the time 😉. Consuming this telemetry let's you build rules to match on sequences of events in a time window, e.g. call stack analysis for unbacked vprotect repeatedly flipping RX/RW pages could be an indicator for sleep obfs as an example. Some great reading on the direction of travel here
And final thought... applying some good targeted rules on this kind of logic, you can probably detect ALMOST every c2 on the planet 😜

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Dominic Chell 👻

Dominic Chell 👻 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @domchell

Mar 15
As auth coercion is blowing up due to #cve-2023-23397, I've put together a quick thread about how we at @MDSecLabs have been leveraging these techniques in our red team engagements for quite some time. Its timely, but I presented much of this at @FiestaCon_RT last week 🧵
Traditionally if you wanted to abuse SMB auth coercion during a red team & over a c2, you were somewhat limited. It was however achievable using a mix of portbender, rportfwd and socks though. The main limitations were admin rights, dropping a driver and opsec of increased c2
Just over two years ago, we evolved the tradecraft around this by documenting an alternate approach using WebDAV and a number of file primitives to coerce auth mdsec.co.uk/2021/02/farmin…
Read 11 tweets
Mar 14
Here's some further details on how to exploit CVE-2023-23397 in Outlook; its a pretty interesting one and incredibly easy to exploit...
Just confirmed that this works nicely over WebDAV - Microsoft's mitigation of blocking outbound 445 is insufficient, you can exploit this on any port as long as WebClient is running
Here's a video demo of exploiting this one over a c2, and relaying to LDAP to add a shadow credential using @MDSecLabs' farmer tool: vimeo.com/808160973
Read 6 tweets
Mar 22, 2022
Good red teams will blend in with the noise. ETW is a sweet resource for finding out what noise looks like. Here I'm using @FuzzySec's SilkETW to hunt for surrogate processes for hosting my AD post-ex... I see you taskhostw.exe & winword.exe Image
Wanna know which processes make HTTPS connections for your egress beacons? Microsoft-Windows-WinHttp got your back... Image
Microsoft-Windows-WebIO also kicks ass because you get the web request/host... super useful for building realistic malleable profiles for hiding in those surrogates... Image
Read 5 tweets
Dec 22, 2021
I didn’t particularly want to name and shame the infosec person who stole $2k from me so tried to give him one last opp to return the money, instead he took to insulting and threatening me. However, I’m concerned about other ppl being scammed...
...as such it’s only right that anyone who is considering taking @ninjaparanoid’s training know what they might have to deal with. It would be unfair to make such an accusation without proof, so I’ve provided evidence below.
I’m always looking to learn new things to sharpen my RT skills and try and do as much mal dev training as I can, having taken the NetSPI and Sek7 courses one of the few remaining was @ninjaparanoid’s MOS; the syllabus looked good so I signed up and paid for this in August
Read 25 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(