ResumeCTF Writeups

Evasion Techniques

Evasion Techniques

  • Alternate Data Streams - used by malware to hide it files from normal inspection by saving the file in a different stream apart from $DATA

  • Injections

    • Thread Hijacking

    • PE Injection

    • DLL Injection - uses an already DLL that is already used by an application and overwriting or including malicious code within the DLL

  • Masquerading

  • Packing/Compression

  • Recompiling

  • Obfuscation

  • Anti-Reversing techniques

  • Sysmon has an event ID to detect newly created and accessed streams allowing to quickly detect and hunt malware that uses ADS

Hunting Alternate Data Streams

  • First technique is hiding files using alternate data streams using Event ID 15

    • Event ID 15 will hash and log any NTFS Streams that are included within the Sysmon configuration file

    • This let's us hunt for malware that evades detections using ADS

# Snippet hunts for files in the Temp and Startup folder and the .hta and .bat extension
<RuleGroup name="" groupRelation="or">  
	<FileCreateStreamHash onmatch="include">  
		<TargetFilename condition="contains">Downloads</TargetFilename>  
		<TargetFilename condition="contains">Temp\\7z</TargetFilename>  
		<TargetFilename condition="ends with">.hta</TargetFilename>  
		<TargetFilename condition="ends with">.bat</TargetFilename>  
	</FileCreateStreamHash>  
</RuleGroup>

Detecting Remote Threads

  • Adversaries use remote threads to evade detections in combination with other techniques

  • Remote threads are created using the Windows API CreateRemoteThread and can be accessed using OpenThread and ResumeThread

  • Used in multiple evasion techniques: DLL Injection, Thread Hijacking, and Process Hollowing

# Snippet excludes common remote threads without including any specific attributes, allows for a more open and precise event rule 
<RuleGroup name="" groupRelation="or">  
	<CreateRemoteThread onmatch="exclude">  
		<SourceImage condition="is">C:\\Windows\\system32\\svchost.exe</SourceImage>  
		<TargetImage condition="is">C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe</TargetImage>  
	</CreateRemoteThread>  
</RuleGroup>

Detecting Evasion Techniques with PowerShell

# Detecting Alternate Data Streams
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=15'

# Detecting Remote Thread Creation
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=8'
PreviousDetecting MalwareNextDetecting Mimikatz

Last updated