• This repository has been archived on 24/Sep/2022
  • Stars
    star
    397
  • Rank 108,561 (Top 3 %)
  • Language
    C++
  • License
    MIT License
  • Created over 8 years ago
  • Updated over 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A YARA-integrated process denial framework for Windows

ProcFilter

Gitter

ProcFilter is a process filtering system for Windows with built-in YARA integration. YARA rules can be instrumented with custom meta tags that tailor its response to rule matches. It runs as a Windows service and is integrated with Microsoft's ETW API, making results viewable in the Windows Event Log. Installation, activation, and removal can be done dynamically and does not require a reboot.

ProcFilter's intended use is for malware analysts to be able to create YARA signatures that protect their Windows environments against a specific threat. It does not include a large signature set. Think lightweight, precise, and targeted rather than broad or all-encompassing. ProcFilter is also intended for use in controlled analysis environments where custom plugins can perform artifact-specific actions.

Designed to be easy to adopt, ProcFilter's integration with Git and Event Log minimize the need for additional tools or infrastructure to deploy rules or gather results.

ProcFilter is compatible with Windows 7+ and Windows Server 2008+ systems.

Installers

Note: Unpatched Windows 7 systems require hotfix 3033929 to load the driver component. More information can be found here.

Features

  • Block/Quarantine/Log processes based on YARA rules found in a Git repository
  • Integrated with the Windows Event Log
  • Highly configurable via INI file
  • Installation/removal without rebooting
  • Built-in performance measuring and stress testing
  • Plugins extend or augment ProcFilter's behavior
  • Command-line behavior includes YARA scanning, file hashing, and service status querying

Screenshots

ProcFilter can be controlled through the Services control panel:

Service Control

New processes that match rules with Block, Log, or Quarantine values set are handled accordingly and results are sent to the Event Log's Application channel with the source of ProcFilter:

Service Control

If the process was started via the Windows GUI the user will receive a dialog box indicating creating the process failed:

Blocked Message

The Windows Event Log can be customized to provide a convenient view of ProcFilter's events with the following steps:

Create Custom View Set the Source to ProcFilter All ProcFilter Events

Processes that match rules with the Quarantine directive set to true will be quarantined and can be viewed or exported via the command-line:

View Quarantine

Performance can be measured with built-in performance testing:

Throughput Testing

ProcFilter has a variety of command-line options for convenience:

Command-Line Options

Configuration

procfilter.ini contains a variety of variety of configurables, including:

  • File/memory scanning on process create/terminate
  • File/memory scanning periodically
  • File/Memory scanning on executable image load

procfilter.ini also include a variety of plugin-specific options in addition.

Project Goals

  • Allow analysts to hook in to process and thread kernel events
  • Operationalize the growing body of knowledge found in YARA signatures in the Windows environment
  • Fill in the gap between detection of a threat and vendor response
  • Be a lightweight, configurable, additional layer of defense

Project Non-Goals

  • Become an A/V replacement
  • A/V does much more than ProcFilter: Behavior based detection, code emulation, centralized management, self-protection, inter-process communication and monitoring, examines file operations, examines network behavior, and many more vendor-specific features

ProcFilter could do some or all of these things in the future through plugins but these features are currently out of scope as the project is being established.

Signatures

Signatures can either come from disk or more conveniently from a Git repository. Configuration can specify a Git URL to pull updates from and the service will automatically check out and load new commits.

By default ProcFilter will respond to 3 boolean meta tags within YARA rules:

Meta Tag Action
Block Block the process associated with rule matches
Log Allow the process but log its presence
Quarantine Make a copy of the associated file in a quarantine location

An example YARA rule for use with ProcFilter that matches UPX-packed binaries:

rule upx {
    meta:
        description = "UPX packed file"
        
        Block = false
        Log = true
        Quarantine = false
        
    strings:
        $mz = "MZ"
        $upx1 = {55505830000000}
        $upx2 = {55505831000000}
        $upx_sig = "UPX!"

    condition:
        $mz at 0 and $upx1 in (0..1024) and $upx2 in (0..1024) and $upx_sig in (0..1024)
}

ProcFilter comes with a small set of default rules to get analysts started. It does not contain a large rule set meant to catch everything. In fact, it only includes rules for very select few families. View the default rule set here. While it is possible to include a massive rule set, consider the potential for false-positives, difficulty in rule creation, and fundamental limitations of signature-based prevention -- all-encompassing rule sets quickly become a much more difficult challenge than it may appear at the outset. See the "Advocacy for Signature Sharing" section below for more details.

Plugins can add handlers for custom meta tags. The 'cmdline' plugin, for example, looks for CaptureCommandLine tags that trigger it to record command line options associated with rule matches. It also enables AskSubprocesses and LogSubprocesses options which will ask to allow and log new subprocesses created by the matching process. This could be used, for example, in a rule matching cmd.exe to log command shell activity.

Jusitification and Effective Usage

ProcFilter is not an AntiVirus replacement. ProcFilter contains a minimal signature set and will miss most malware by default. Despite this it still has high utility and is a valuable component of a defense-in-depth strategy against unwanted software.

ProcFilter uses YARA and YARA is signature-based. This means that in order to block something it must have been seen before. Signature evasion is trivial -- repack and evade -- although it does raise the bar of difficulty for an attacker since it generally follows that that the more an attacker tries to hide a payload the more prominent and detectable the hiding mechanism becomes.

Sophisticated payloads tend to be complex pieces of software and like any other complex software do not change drastically over time even though the packing might. Well-written signatures may work for longer periods of time, keying in on aspects of code unlikely to change across obfuscations, packing, or varied compilation options. Sometimes it's possible to "see through" packing as in this example.

Post-execution memory scanning, while resource intensive, can detect post-execution payloads. It's not preventative but it will give you visibility and awareness you wouldn't have had otherwise. Furthermore, this can be used by analysts in a controlled environment to detect payloads of packed malware without having to involve a debugger.

Legitimate software is not often packed and rules that detect packers can help identify unwanted software. You may not need to know what something is -- just that it's hiding its behavior is enough. For example, you may know that packed software should not be run in a specific, tightly-controlled environment, making ProcFilter an effective mitigation or additional indicator of unwanted behavior. Note that this is environment dependent; some legitimate software such as games use packers like UPX to compress game assets and minimize executable size.

Signature Sharing

Signature sharing is a challenge. If signatures are publicly visible then an attacker can test against them until evasion is successful. Addtionally, the open format of YARA provides a roadmap to exactly what within a family is causing the detection. On the other hand, this consumes the attacker's resources by forcing them to adapt. Additionally, prior releases of the malware will no longer be effective once a signature has been created.

Considering the pros and cons, it's advisable to avoid subscribing to the belief of keeping security-related information private to avoid “tipping the hand to attackers”. The benefit of open information exchange is multiplicative and with that comes the ability to out scale — consider the success of software such as AdBlock. If you have a community of people with the same vested interest in solving the next new problem you’re a lot better off than if you kept your tips & tricks private and remained independent in the fight against malware.

Furthermore, consider that if signature evasion is a problem, custom-written plugins still have plenty of opportunity to perform advanced actions to detect malware. ProcFilter can be extended in many different dimensions to meet a multitude of techniques.

Pros of Sharing:

  • Promotes a community in which resources can be pooled
  • Remains effective against prior releases/deployments of a malware family
  • Reduces duplicated effort which is currently the status quo
  • Once a threat is identified, signatures can be shared across all participants
  • The larger the community defining the threats, the less damage they will be able to do

Cons of Sharing:

  • Attackers can test against public signatures until evasion is successful
  • The open format of YARA provides information as to what exactly needs to be changed to evade signatures

Sharing in a semi-open fashion between trusted partners via private forums can be an effective way to mitigate the cons of open sharing.

API

ProcFilter exposes a C API that can extend or alter behavior. For example, a plugin could perform custom actions based on tags in YARA signature's meta sections cmdline plugin. The C API header file is located here.

Event list (See procfilter.h for the full list):

  • Process Creation/Termination
  • Thread Creation/Termination
  • Executable Image Load
  • Scan start/finish

Example plugins:

Risks

Running ProcFilter introduces attack surface just as any additional software does. While it has been written with security in mind it may have vulnerabilities or the libraries it depends on may have vulnerabilities -- this is no different than any other software. It may be susceptible to system crashes, errant behavior, or security vulnerabilities. Just because this is a security tool does not make it suddenly immune to the pitfalls and caveats of modern programming languages. The hope is that the tradeoff of risks prevented versus risks introduced is favorable.

ProcFilter is beta and is not quite yet ready for use in production environments.

Example Use Cases

Use Case #1

Analysts at a peer organization detected or were hit by a spear phishing attack. They share their YARA signature with you for use in ProcFilter, minimizing the chance your organization will be hit by the same sample, or if the signature is good, other samples within that family.

Use Case #2

US-CERT releases a report containing a YARA signature for a malware family, such as in this 2014 report. You incorporate their YARA signatures into your rule set to minimize the chance your organization will be hit by a variant of the same.

Use Case #3

A specific threat actor is known to upload copies of command shells within a shared access environment. The differing filename or path prevents you from capturing this activity. In order to detect and analyze this actor's behavior, ProcFilter is run with a signature for the Windows command shell, the Command Line Capturing plugin enabled, and the CaptureCommandLine and LogSubprocesses values in the meta section set to true:

rule CommandShell {
    meta:
        description = "Microsoft Windows Command Shell"

        Block = false
        Quarantine = false
        CaptureCommandLine = true
        LogSubprocesses = true

    strings:
      // omitted for brevity

    condition:
        IsPeFile and all of them
}

When the attacker uploads and runs a command shell that matches the signature the command line arguments are recorded to th Event Log along with any commands run by the attacker from within that shell.

Use Case #4

The same TA packs the command shell with UPX so it's no longer detected by file scanning at process launch. ProcFilter's post-execution memory scanning is enabled which matches the command shell signature, consequently capturing the command line at process termination.

Use Case #5

An endpoint security engineer wants to harden endpoints against exploitation via Word, Excel, PowerPoint, and Adobe files. To help mitigate the chance of exploitation, ProcFilter is run with a signature matching the desktop applications needing protection, the Command Line Capturing plugin enabled, and the AskSubprocesses and LogSubprocesses values in the meta section set to true:

rule ClientSideApplications {
    meta:
        description = "Microsoft Word, Excel, PowerPoint and Adobe Reader"

        Block = false
        Log = false
        Quarantine = false
        AskSubprocesses = true
        LogSubprocesses = true

    strings:
      // omitted for brevity

    condition:
        IsPeFile and ...
}

When any of the matching applications try to create a subprocess it will be logged and the user will be prompted to allow or deny it, mitigating the chance that an exploit will successfully spawn a dropped or implanted file.

Use Case #6

A malware analyst needs to get a memory snapshot of a packed sample but running it in a controlled debug environment fails because the sample detects the environment and crashes out or exists before it is unpacked in memory. The malware analyst enables the 'unpack' ProcFilter plugin, which successfully takes a memory snapshot at process termination since ProcFilter doesn't act as a debugger. Note that this is a cat and mouse game since ProcFilter is detectable from userland and could be detected by an unpacking stub.

Use Case #7

A malware analyst wants to know if a packed sample is related to a sample found before. Scans against the file turn up nothing due to the packing. The analyst runs the sample in a controlled environment containing ProcFilter with post-execution memory scanning enabled. At program termination the address space is scanned which matches rules in the set, indicating the type of payload.

Questions?

We're here to help! The ProcFilter development team can be contacted by email at [email protected] or on Gitter for general discussion.

Gitter

License

ProcFilter is licensed under the MIT license located here.

More Repositories

1

terminus

Graceful shutdown and Kubernetes readiness / liveness checks for any Node.js HTTP applications
JavaScript
1,831
star
2

kubernetes-client

Simplified Kubernetes API client for Node.js.
JavaScript
961
star
3

tartufo

Searches through git repositories for high entropy strings and secrets, digging deep into commit history
Python
457
star
4

compose-color-picker

Jetpack Compose Android Color Picker 🎨
Kotlin
375
star
5

svgs

svgs is a compatiblity layer between svg and react-native-svg
JavaScript
191
star
6

eslint-plugin-i18n-json

Fully extendable eslint plugin for JSON i18n translation files.
JavaScript
177
star
7

node-cluster-service

Turn your single process code into a fault-resilient, multi-process service with built-in REST & CLI support. Restart or hot upgrade your web servers with zero downtime or impact to clients.
JavaScript
166
star
8

godaddy.github.io

Deprecated version of GoDaddy blog. See https://github.com/godaddy/engineering.
HTML
163
star
9

smart-private-npm

An intelligent routing proxy for npm with support for: private, whitelisted, and blacklisted packaged
JavaScript
139
star
10

ekke

Ekke is a test runner for React-Native, it allows you to execute your test code directly on the device enabling you to test in the same environment as your production users.
JavaScript
133
star
11

gasket

Framework Maker for JavaScript Applications
JavaScript
130
star
12

kubernetes-gated-deployments

Kubernetes Gated Deployments
JavaScript
123
star
13

activerecord-delay_touching

Batch up your ActiveRecord "touch" operations for better performance. ActiveRecord::Base.delay_touching do ... end. When "end" is reached, all accumulated "touch" calls will be consolidated into as few database round trips as possible.
Ruby
111
star
14

engineering

Jekyll website and blog showcasing open source projects by GoDaddy employees
HTML
84
star
15

yara-rules

YARA rules for use with ProcFilter
83
star
16

aws-okta-processor

Okta credential processor for AWS CLI
Python
82
star
17

warehouse.ai

A storage and developer workflow engine for enforcing arbitrary checks on ontologies of npm packages.
JavaScript
82
star
18

javascript

The official GoDaddy JavaScript styleguide.
JavaScript
76
star
19

asherah

Asherah is a multi-language, cross-platform application encryption SDK
C#
75
star
20

wp-reseller-store

Resell hosting, domains, and more right from your WordPress site.
PHP
62
star
21

react-img-carousel

A flexible image carousel built with React.js
JavaScript
60
star
22

jiractl

A command-line tool for managing Jira
JavaScript
56
star
23

lighthouse4u

LH4U provides Google Lighthouse as a service, surfaced by both a friendly UI+API, and backed by various storage clients (S3, ElasticSearch, etc) for all your query and visualization needs
EJS
56
star
24

slay

Rock-solid structured application layout for building APIs and web apps in Node.js.
JavaScript
49
star
25

next-rum

RUM Component for Next.js
JavaScript
48
star
26

timings

NodeJS/Express API to assert performance results during functional testing
JavaScript
45
star
27

addhoc

Handy little helper to create proper React HOC functions complete with hoisted statics and forwarded refs
JavaScript
41
star
28

datastar

A robust and feature rich ODM for Cassandra.
JavaScript
40
star
29

openstack-logstash

Logstash and Kibana configs for OpenStack Havana
JavaScript
37
star
30

node-openstack-wrapper

An OpenStack client for Node.js
JavaScript
33
star
31

gdapi-php

A PHP client for Go Daddy® REST APIs
PHP
31
star
32

opa-lambda-extension-plugin

A plugin for running Open Policy Agent (OPA) in AWS Lambda as a Lambda Extension.
Go
28
star
33

reduxful

Manage request data in Redux state by generating actions, reducers, and selectors automatically.
JavaScript
27
star
34

lazy-social-buttons

A JavaScript plugin to place social buttons on a page on user interaction (mouseover) to spare the initial page load from the 300kb+ download requests for social APIs.
JavaScript
25
star
35

serverless-aws-servicecatalog

An AWS Service Catalog enabling plugin for the popular Serverless project
JavaScript
24
star
36

react-safe-src-doc-iframe

A component which applies guards to srcdoc iframes in order to provide a predictable and safe experience to the user. Complements the sandbox native iframe attribute.
JavaScript
23
star
37

react-markdown-github

React component that renders Markdown similarly to Github's formatting
JavaScript
22
star
38

node-flipr

Feature flipping and configuration using yaml files.
JavaScript
21
star
39

domain-search

React-based domain search widget used for designing and building custom GoDaddy reseller storefronts
JavaScript
21
star
40

pullie

A GitHub bot that makes your PRs better
JavaScript
20
star
41

asset-system

asset-system is a cross platform SVG based asset system for React and React-Native. This mono-repo is the home for all asset-* packages.
JavaScript
20
star
42

docker-machine-godaddy

A Docker Machine driver plugin for GoDaddy Cloud Servers.
Go
19
star
43

carpenterd

Build and compile npm packages to run in the browser.
JavaScript
19
star
44

node-priam

A simple Cassandra driver for NodeJS. It wraps node-cassandra-cql with additional error/retry handling, external .cql file support, and connection option resolution from an external source.
JavaScript
19
star
45

external

Fitting for load React components from an external BigPipe server.
JavaScript
18
star
46

kibana4-backup

JavaScript
17
star
47

django-snow

ServiceNow Ticket Management App for Django based projects
Python
16
star
48

node-redis-ha

Redis high-availability client library for node
JavaScript
15
star
49

sample-size

This python project is a helper package that uses power analysis to calculate required sample size for any experiment
Python
14
star
50

node-config-shield

Safe and easy way for storing and retrieving sensitive data
JavaScript
13
star
51

bucket-service

A service to tag your tests to enable/disable without a code change
JavaScript
10
star
52

breakdancer

A breakpoint tracking utility
JavaScript
10
star
53

centos7-upgrade-scripts

Ansible playbook and supporting scripts for upgrading OpenStack compute/hypervisor hosts from CentOS 6 to 7
Shell
10
star
54

openstack-traffic-shaping

Python
9
star
55

tartufo-action

Searches through git repositories for high entropy strings and secrets, digging deep into commit history
Python
9
star
56

radpack

JavaScript
8
star
57

appetizer-bundle

Creates an uploadable bundle of your React-Native application so it can run on the appetize.io platform.
JavaScript
8
star
58

docker-node

Debian Docker images for Node.js with best practices in mind
Dockerfile
8
star
59

GDRouting

Objective-C
8
star
60

gdapi-python

A Python client for Go Daddy® REST APIs
Python
8
star
61

netmet

NetMet is networking tool that allows you to track and analyze network uptime of multi data centers installations
Python
7
star
62

godaddy-test-tools

gulp tools for testing node libraries with mocha and istanbul as well as linting using godaddy-style.
JavaScript
7
star
63

react-validation-context

Components for providing validation via React context.
JavaScript
7
star
64

openstack-ansible

Ansible playbooks for managing OpenStack infrastructure
7
star
65

out-of-band-cache

A generic cache for API clients with out-of-band refreshing
JavaScript
7
star
66

node-redirect-rules

JavaScript
7
star
67

exemplar

Deprecated: storybook rocket fuel to launch structured examples of React & React Native components
JavaScript
7
star
68

asherah-cobhan

Cobhan bindings for Asherah
Go
7
star
69

vault-cert-finder

Finds, parse and output X509 certificates stored in Hashicorp Vault
TypeScript
7
star
70

eslint-plugin-react-intl

Validation of locale ids used with react-intl functions/components like <FormattedMessage />, formatMessage and defineMessages.
JavaScript
7
star
71

gdapi-csharp

A C# client for Go Daddy® REST APIs
C#
6
star
72

tartufo-node

npm package shim for https://github.com/godaddy/tartufo
JavaScript
6
star
73

aws-liveness

AWS Liveness tools.
JavaScript
6
star
74

cobhan-go

Cobhan FFI is a system for enabling shared code to be written in Rust or Go and consumed from all major languages/platforms in a safe and effective way.
Go
6
star
75

cijtemplate

A template for continuous integration with Jenkins
Shell
6
star
76

lighthouse4u-lambda

Running Lighthouse4u in AWS Lambda
JavaScript
6
star
77

asherah-ruby

Application-layer encryption SDK
Ruby
6
star
78

node-http-cache

An extensible caching interface for HTTP traffic.
JavaScript
6
star
79

abstract-npm-registry

An test suite and interface for you can use to test various functional areas of an npm registry
JavaScript
6
star
80

asherah-python

Python
5
star
81

appetizer

A Node.js REST based API client for Appetize.io.
JavaScript
5
star
82

transform-url

Build URLs by transforming a template with params.
JavaScript
5
star
83

cobhan-python

Python wrapper library for the Cobhan FFI system
Python
5
star
84

node-connect-qos

Connect middleware that helps maintain a high quality of service during heavy traffic
TypeScript
5
star
85

timings-client-py

Python client for the timings API
Python
5
star
86

http-interception

Dumps requests and responses as newline delimited JSON that a browser performs when visiting a web page.
JavaScript
4
star
87

feedsme

Triggers appropriate rebuilds in the warehouse.ai system
JavaScript
4
star
88

mssql-pool-party

Extension of node mssql client providing failover, retry, stats, and more
JavaScript
4
star
89

cobhan-rust

Cobhan FFI is a system for enabling shared code to be written in Rust and consumed from all major languages/platforms in a safe and effective way.
Rust
4
star
90

short-css-vars

Optimize CSS variable names
JavaScript
4
star
91

spree_weight_based_shipping_calculator

Spree extension for weight-based shipping calculation
Ruby
4
star
92

joi-of-cql

Create cql type definitions from joi schema validations
JavaScript
4
star
93

hostwriter

API and CLI for querying and manipulating host files.
JavaScript
4
star
94

orglinter

A GitHub organization linting tool
JavaScript
3
star
95

gdapi-ui

An in-browser client for Go Daddy® REST APIs
JavaScript
3
star
96

carpenterd-worker

the worker process for carpenterd
JavaScript
3
star
97

node-gd-assets

CSS, JS, and Handlebars combiner, compressor, and server
JavaScript
3
star
98

node-http-cache-cassandra

A Cassandra provider for the extensible HTTP caching library http-cache.
JavaScript
3
star
99

cobhan-ruby

Ruby wrapper library for the Cobhan FFI system
Ruby
3
star
100

.github

Default community health files for GoDaddy Open Source
3
star