![]() In this blog post I’m going to highlight how services can be installed through native API calls to evade detection and then focus on detection mechanisms through memory forensics. ![]() calls this building an ‘artifact constellation’ and I think this is a fantastic phrase that perfectly describes this situation. As such, it’s always prudent for a responder/hunter/detection engineer to correlate various streams of evidence per artefact versus relying on a single source of evidence. This technique is not new (as it was used by Stuxnet), however, a lot of analysts in the industry see the event logs as a single source of truth without realising that sometimes it’s not always the case. ![]() I will not be covering what native API calls are – for more information please take a read of one of my previous tweets. It also happens to be one of my favourite malware samples <3. Using native APIs to install services instead of the standard API calls allow threat actors to bypass security controls and event logging. This technique was utilised in the infamous Stuxnet malware sample created by the alleged US and Israeli government to target the Iranian nuclear program. This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.Threat actors can leverage native Windows API calls to install malicious services without generating correlating entries in the event log. Necessarily indicate when this vulnerability wasĭiscovered, shared with the affected vendor, publicly NtWriteFile Process NtCreateProcessEx, NtTerminateProcess Driver NtLoadDriver, NtUnloadDriver Code injection NtCreateThread, NtWriteVirtualMemory Fig. The CVE ID was allocated or reserved, and does not BUGTRAQ:20070918 Plague in (security) software drivers & BSDOhook utilityĭisclaimer: The record creation date may reflect when.Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. ![]() 7828 does not properly validate certain parameters to System Service Descriptor Table (SSDT) function handlers, which allows local users to cause a denial of service (crash) and possibly gain privileges via the (1) NtCreateKey, (2) NtDeleteFile, (3) NtLoadDriver, (4) NtOpenProcess, (5) NtOpenSection, (6) NtOpenThread, and (7) NtUnloadDriver kernel SSDT hooks, a partial regression of CVE-2006-7160. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |