HIP19: In NTDLL I Trust - Process Reimaging and Endpoint Security Solution Bypass - E. Carroll

Описание: In NTDLL I Trust - Process Reimaging and Endpoint Security Solution Bypass by Eoin Carroll

https://hackinparis.com/talks/#talk-2...

Abstract

The Mitre Att&ck framework defense evasion techniques such as Process Hollowing and Process Doppelganging exploit legitimate features of the Windows OS to impersonate process executable binaries. These techniques have been weaponized in recent ransomware attacks such as SynAck. McAfee ATR have discovered a new defense evasion technique we have named, Process Reimaging.

This technique is equivalent in capability and impact to Process Hollowing or Process Doppelganging within the Mitre Attack Defense Evasion Category, only much easier to execute. The Windows Operating System has inconsistencies in how it determines executing process image binaries, which impacts Endpoint Security Solution’s (such as Microsoft Defender), ability to detect the correct binaries loaded in malicious processes.

We have developed a proof of concept which exploits this inconsistency, by hiding the physical location of a process EXE to bypass Windows Defender.

The PoC allowed us to persist a malicious process (post exploitation) which does not get detected by Windows Defender.

The Process Reimaging technique cannot be detected by Windows Defender until it has a signature for the malicious file and blocks it on disk before process creation.



Talk Description

This presentation will include reversing of the vulnerable Windows Kernel APIs which enable Process Reimaging. We will weaponize Process Reimaging to bypass Windows Defender detection and demonstrate the same impact as Process Hollowing or Process Doppelganging.

The talk will conclude with recommendations on how Endpoint Products can be protected against Process Reimaging.



Presentation Outline

1. Mitre Att&ck Defensive Evasion Process attacks recap
2. Windows Kernel APIs
3. Process Reimaging Attack Vectors and Pre-requisites
4. Windows Kernel API inconsistencies
5. Weaponization
6. Windows Defender Bypass Demo
7. Recommendations to Microsoft
8. Understanding if you are impacted



Attendees Key Take Aways

1. Understand inconsistencies and limitations of Windows Kernel APIs to locate process image binaries
2. Risk if using vulnerable Windows Kernel APIs to locate process image binaries
3. Mitigation guidelines to correctly identify process image binaries