Presented at
DEF CON 32 (2024),
Aug. 9, 2024, 1 p.m.
(45 minutes).
Endpoint detection and response (EDR) software has gained significant market share due to its ability to examine system state for signs of malware and attacker activity well beyond what traditional anti-virus software is capable of detecting. This deep inspection capability of EDRs has led to an arms race with malware developers who want to evade EDRs while still achieving desired goals, such as code injection, lateral movement, and credential theft. This monitoring and evasion occurs in the lowest levels of hardware and software, including call stack frames, exception handlers, system calls, and manipulation of native instructions. Given this reality, EDRs are limited in how much lower they can operate to maintain an advantage. The success of EDR bypasses has led to their use in many high-profile attacks and by prolific ransomware groups.
In this talk, we discuss our research effort that led to the development of new memory forensics techniques for the detection of the bypasses that malware uses to evade EDRs. This includes bypass techniques, such as direct and indirect system calls, module overwriting, malicious exceptions handlers, and abuse of debug registers. Our developed capabilities were created as new plugins to the Volatility memory analysis framework, version 3, and will be released after the talk.
1. “Operation Dragon Castling: APT group targeting betting companies,” [link](https://cymulate.com/threats/operation-dragon-castling-apt-group-targeting-betting-companies/), 2023.
2. “Defeating Guloader Anti-Analysis Technique,” [link](https://unit42.paloaltonetworks.com/guloader-variant-anti-analysis/), 2023.
3. “A Deep Dive Into ALPHV/BlackCat Ransomware,” [link](https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware/), 2024.
4. “APT Operation Skeleton Key,” [link](https://cycraft.com/download/CyCraft-Whitepaper-Chimera%20V4.1.pdf), 2023.
5. “LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility,” [link](https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/), 2024.19
6. “BlueBravo Uses Ambassador Lure to Deploy,” [link](https://go.recordedfuture.com/hubfs/reports/cta-2023-0127.pdf), 2024.
7. “UNMASKING THE DARK ART OF VECTORED EXCEPTION HANDLING: BYPASSING XDR AND EDR IN THE EVOLVING CYBER THREAT LANDSCAPE,” [link](https://blackhatmea.com/session/unmasking-dark-art-vectored-exception-handling-bypassing-xdr-and-edr-evolving-cyber-threat), 2023.
8. “Dirty Vanity: A New Approach to Code injection & EDR by-pass,” [link](https://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Nissan-DirtyVanity.pdf), 2022.
9. Volexity, “Surge Collect Pro,” [link](https://www.volexity.com/products-overview/surge/), 2022.
10. “capstone,” [link](https://www.capstone-engine.org/), 2024.
11. “Silencing cylance: A case study in modern edrs,” [link](https://www.mdsec.co.uk/2019/03/silencing-cylance-a-case-study-in-modern-edrs/), 2019.
12. “Av/edr evasion — malware development p — 3,” [link](https://medium.com/@0xHossam/unhooking-memory-object-hiding-3229b75618f7), 2023.
13. “A practical guide to bypassing userland api hooking,” [link](https://www.advania.co.uk/insights/blog/a-practical-guide-to-bypassing-userland-api-hooking/), 2022.
14. A. Case, A. Ali-Gombe, M. Sun, R. Maggio, M. Firoz-Ul-Amin, M. Jalalzai, and G. G. R. III, “HookTracer: A System for Automated and Accessible API Hooks Analysis,” Proceedings of the 18th Annual Digital Forensics Research Conference (DFRWS), 2019.
15. F. Block, “Windows memory forensics: Identification of (malicious) modifications in memory-mapped image files,” Forensic Science International: Digital Investigation, 2023. (Online). Available: [link](https://www.sciencedirect.com/science/article/pii/S2666281723000707)
16. F. Block and A. Dewald, “Windows memory forensics: Detecting (un)intentionally hidden injected code by examining page table entries,” Digital Investigation, vol. 29, pp. S3–S12, 07 2019.
17. “CCob,” [link](https://github.com/CCob/SylantStrike/tree/master), 2024.
18. “Lets Create An EDR. . . And Bypass It! Part 1,” [link](https://ethicalchaos.dev/2020/05/27/lets-create-an-edr-and-bypass-it-part-1/), 2020.
19. “r77 rootkit,” [link](https://github.com/bytecode77/r77-rootkit/), 2024.
20. “Deep Vanity,” [link](https://github.com/deepinstinct/Dirty-Vanity), 2022. 20
21. “Peruns-Fart,” [link](https://github.com/plackyhacker/Peruns-Fart/), 2023.
22. “FREEZE – A PAYLOAD TOOLKIT FOR BYPASSING EDRS USING SUSPENDED PROCESSES,” [link](https://www.hawk-eye.io/2023/06/freeze-a-payload-toolkit-for-bypassing-edrs-using-suspended-processes/), 2023.
23. “Process Cloning,” [link](https://github.com/huntandhackett/process-cloning), 2023.
24. “APT Group Chimera,” [link](https://cycraft.com/download/CyCraft-Whitepaper-Chimera%20V4.1.pdf), 2022.
25. “Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR,” [link](https://www.outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/), 2019.
26. “Hell’s Gate,” [link](https://github.com/am0nsec/HellsGate/blob/master/hells-gate.pdf), 2020.
27. “Halo’s Gate,” [link](https://blog.sektor7.net/#!res/2021/halosgate.md), 2021.
28. “Tartarus Gate,” [link](https://trickster0.github.io/posts/Halo’s-Gate-Evolves-to-Tartarus-Gate/), 2021.
29. “Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams,” [link](https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/), 2020.
30. “SysWhispers2,” [link](https://github.com/jthuraisamy/SysWhispers2), 2022.
31. “An Introduction into Stack Spoofing,” [link](https://dtsec.us/2023-09-15-StackSpoofin/), 2023.
32. “SilentMoonwalk: Implementing a dynamic Call Stack Spoofer,” [link](https://klezvirus.github.io/RedTeaming/AV%20Evasion/StackSpoofing/), 2022.
33. “Spoofing Call Stacks To Confuse EDRs,” [link](https://labs.withsecure.com/publications/spoofing-call-stacks-to-confuse-edrs), 2022.
34. “Behind the Mask: Spoofing Call Stacks Dynamically with Timers,” [link](https://www.cobaltstrike.com/blog/behind-the-mask-spoofing-call-stacks-dynamically-with-timers), 2022.
35. “HellHall,” [link](https://github.com/Maldev-Academy/HellHall), 2023.
36. [link](http://phrack.org/issues/65/8.html#article), 2008.
37. “Defeating Guloader Anti-Analysis Technique,” [link](https://unit42.paloaltonetworks.com/guloader-variant-anti-analysis/), 2022.21
38. “GULoader Campaigns: A Deep Dive Analysis of a highly evasive Shellcode based loader,” [link](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/guloader-campaigns-a-deep-dive-analysis-of-a-highly-evasive-shellcode-based-loader/), 2023.
39. “Gh0stRat Anti-Debugging : Nested SEH (try - catch) to Decrypt and Load its Payload,” [link](https://tccontre.blogspot.com/2021/02/gh0strat-anti-debugging-nested-seh-try.html), 2021.
40. “Syscalls via Vectored Exception Handling,” [link](https://redops.at/en/blog/syscalls-via-vectored-exception-handling), 2024.
41. “Bypassing AV/EDR Hooks via Vectored Syscall - POC,” [link](https://cyberwarfare.live/bypassing-av-edr-hooks-via-vectored-syscall-poc/), 2022.
42. “MutationGate,” [link](https://github.com/senzee1984/MutationGate/tree/main), 2024.
43. Cymulate Research, “BlindSide,” [link](https://github.com/CymulateResearch/Blindside/blob/main/Blindside/Blindside.cpp#L31), 2023.
44. “In-Process Patchless AMSI Bypass,” [link](https://ethicalchaos.dev/2022/04/17/in-process-patchless-amsi-bypass/), 2022.
45. “PatchlessCLR,” [link](https://github.com/VoldeSec/PatchlessCLRLoader/tree/main), 2022.
46. “Dumping the VEH in Windows 10,” [link](https://dimitrifourny.github.io/2020/06/11/dumping-veh-win10.html), 2020.
47. “Detecting anomalous Vectored Exception Handlers on Windows,” [link](https://research.nccgroup.com/2022/03/01/detecting-anomalous-vectored-exception-handlers-on-windows/), 2022.
48. “SetUnhandledExceptionFilter,” [link](https://learn.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-setunhandledexceptionfilter), 2024.
Presenters:
-
Austin Sellers
- Detection Engineer at Volexity
Austin Sellers is a Detection Engineer at Volexity where he focuses on automating large scale memory analysis and threat detection techniques. He has significant experience in developing memory analysis datasets that allow for automated verification and testing of kernel and userland memory forensics techniques.
-
Andrew Case
- Director of Research at Volexity
Andrew Case is the Director of Research at Volexity and has significant experience in incident response handling and malware analysis. He has conducted numerous large-scale investigations that span enterprises and industries. Case is a core developer of the Volatility memory analysis framework, and a co-author of the highly popular and technical forensics analysis book "The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory."
-
Gustavo Moreira
- Senior Security Engineer at Volexity
Gustavo Moreira is a Senior Security Engineer at Volexity. He has significant experience in reverse engineering, incident response handling, embedded systems development and security, Windows and Linux internals, and automation of large scale malware analysis.
-
David McDonald
- Volcano team at Volexity
David McDonald is a researcher and software engineer with 3 years of digital forensics R&D experience. His passion for this field began with his involvement in the University of New Orleans CTF team, as well as through his time as a Systems Programming teaching assistant. After over two years of digital forensics research and development on Cellebrite's computer forensics team, he joined Volexity's Volcano team, where he now works to develop next-generation memory analysis solutions.
-
Golden Richard
- Professor of Computer Science and Engineering and Associate Director for Cybersecurity at Center for Computation and Technology (CCT) at LSU
Golden G. Richard III is a cybersecurity researcher and teacher and a Fellow of the American Academy of Forensic Sciences. He has over 40 years of practical experience in computer systems and computer security and is a devoted advocate for applied cybersecurity education. He is currently Professor of Computer Science and Engineering and Associate Director for Cybersecurity at the Center for Computation and Technology (CCT) at LSU. He also supports NSA's CAE-CO internship program, teaching memory forensics, vulnerability analysis, and other topics to cleared interns. His primary research interests are memory forensics, digital forensics, malware analysis, reverse engineering, and operating systems. Dr. Richard earned his BS in Computer Science from the University of New Orleans and MS and PhD in Computer Science from The Ohio State University.
Similar Presentations: