optiv/Freeze optiv/Freeze

  • This repository has been archived on 18/Aug/2023
  • Stars
    star
    1,379
  • Rank 33,333 (Top 0.7 %)
  • Language
    Go
  • License
    MIT License
  • Created almost 2 years ago
  • Updated 11 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
optiv/Freeze
github

optiv

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Freeze is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods



Freeze

More Information

If you want to learn more about the techniques utilized in this framework, please take a look at SourceZero Blog

Description

Freeze is a payload creation tool used for circumventing EDR security controls to execute shellcode in a stealthy manner. Freeze utilizes multiple techniques to not only remove Userland EDR hooks, but to also execute shellcode in such a way that it circumvents other endpoint monitoring controls.

Creating A Suspended Process

When a process is created, Ntdll.dll is the first DLL that is loaded. This happens before any EDR DLLs are loaded. This means that there is a bit of a delay before an EDR can be loaded and start hooking and modifying the assembly of system DLLs. In looking at Windows syscalls in Ntdll.dll, we can see that nothing is hooked yet. If we create a process in a suspend state (one that is frozen in time), we can see that no other DLLs are loaded, except for Ntdll.dll. You can also see that no EDR DLLs are loaded, meaning that the syscalls located in Ntdll.dll are unmodified.

Address Space Layout Randomization

In order to use this clean suspended process to remove hooks from Freeze loader, we need a way to programmatically find and read the clean suspended process' memory. This is where address space layout randomization (ASLR) comes into play. ASLR is a security mechanism to prevent stack memory corruption-based vulnerabilities. ASLR randomizes the address space inside of a process, to ensure that all memory-mapped objects, the stack, the heap, and the executable program itself, are unique. Now, this is where it gets interesting because while ASLR works, it does not work for position-independent code such as DLLs. What happens with DLLs, (specifically known system DLLs) is that the address space is randomized once at boot time. This means that we don't need to enumerate a remote process information to find the base address of its ntdll.dll because it is the same in all processes including the one that we control. Since the address of every DLL is the same place per boot, we can pull this information from our own process and never have to enumerate the suspended process to find the address.

With this information, we can use the API ReadProcessMemory to read a process' memory. This API call is commonly associated with the reading of LSASS as part of any credential-based attack; however, on its own it is inherently not malicious, especially if we are just reading an arbitrary section of memory. The only time ReadProcessMemory will be flagged as part of something suspicious is if you are reading something you shouldn't (like the contents of LSASS). EDR products should never flag the fact that ReadProcessMemory was called, as there are legitimate operational uses for this function and would result in many false positives.

We can take this a step further by only reading a section of Ntdll.dll where all syscalls are stored - its .text section, rather than reading the entire DLL.

Combining these elements, we can programmatically get a copy of the .text section of Ntdll.dll to overwrite our existing hooked .text section prior to executing shellcode.

ETW Patching

ETW utilizes built-in syscalls to generate this telemetry. Since ETW is also a native feature built into Windows, security products do not need to "hook" the ETW syscalls to access the information. As a result, to prevent ETW, Freeze patches numerous ETW syscalls, flushing out the registers and returning the execution flow to the next instruction. Patching ETW is now default in all loaders.

Shellcode

Since only Ntdll.dll is restored, all subsequent calls to execute shellcode need to reside in Ntdll.dll. Using Go (note you can do this in other languages but in Go, its quite easy to implement) we can define and call the NT syscalls needed to allocate, write, and protect the shellcode, effectively skipping the standard calls that are located in kernel32d.dll, and Kernelbase.dll, as these may still be hooked.

Contributing

Freeze was developed in Golang.

Install

To install Freeze, run the following commands, or use the compiled binary:

go build Freeze.go

Help

        ___________                                    
        \_   _____/______   ____   ____ ________ ____  
         |    __) \_  __ \_/ __ \_/ __ \\___   // __ \ 
         |     \   |  | \/\  ___/\  ___/ /    /\  ___/ 
         \___  /   |__|    \___  >\___  >_____ \\___  >
             \/                \/     \/      \/    \/ 
                                        (@Tyl0us)
        Soon they will learn that revenge is a dish... best served COLD...
                 
Usage of ./Freeze:
  -I string
        Path to the raw 64-bit shellcode.
  -O string
        Name of output file (e.g. loader.exe or loader.dll). Depending on what file extension defined will determine if Freeze makes a dll or exe.
  -console
        Only for Binary Payloads - Generates verbose console information when the payload is executed. This will disable the hidden window feature.
  -encrypt
        Encrypts the shellcode using AES 256 encryption
  -export string
        For DLL Loaders Only - Specify a specific Export function for a loader to have.
  -process string
        The name of process to spawn. This process has to exist in C:\Windows\System32\. Example 'notepad.exe' (default "notepad.exe")
  -sandbox
        Enables sandbox evasion by checking:
                Is Endpoint joined to a domain?
                Does the Endpoint have more than 2 CPUs?
                Does the Endpoint have more than 4 gigs of RAM?
  -sha256
        Provides the SHA256 value of the loaders (This is useful for tracking)

Binary vs DLL

Freeze can generate either a .exe or .dll file. In order to specify this, ensure that the -O command line option ends with either a .exe for binaries or .dll for dlls. No other file types are currently supported. In the case of DLL files, Freeze can also add additional export functionality. To do this use the -export with specific export function name.

Console

Freeze utilizes a technique to first create the process and then move it into the background. This does two things - first it helps keep the process hidden, and second, avoids being detected by any EDR product. Spawning a process right away in the background can be very suspicious and an indicator of maliciousness. Freeze does this by calling the ‘GetConsoleWindow’ and ‘ShowWindow’ Windows function after the process is created and the EDR’s hooks are loaded, and then changes the windows attributes to hidden. Freeze utilizes these APIs rather than using the traditional -ldflags -H=windowsgui, as this is highly signatured and classified in most security products as an Indicator of Compromise.

If the -console command-line option is selected, Freeze will not hide the process in the background. Instead, Freeze will add several debug messages displaying what the loader is doing.

Credit

More Repositories

1

ScareCrow

ScareCrow - Payload creation framework designed around EDR bypass.
Go
2,665
star
2

Mangle

Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL) to avoid detection from EDRs
Go
1,129
star
3

Ivy

Ivy is a payload creation framework for the execution of arbitrary VBA (macro) source code directly in memory. Ivy’s loader does this by utilizing programmatical access in the VBA object environment to load, decrypt and execute shellcode.
Go
729
star
4

Freeze.rs

Freeze.rs is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls written in RUST
Rust
700
star
5

Go365

An Office365 User Attack Tool
Go
604
star
6

Talon

A password guessing tool that targets the Kerberos and LDAP services within the Windows Active Directory environment.
Go
428
star
7

mobile-nuclei-templates

352
star
8

Registry-Recon

Cobalt Strike Aggressor Script that Performs System/AV/EDR Recon
317
star
9

Dent

A framework for creating COM-based bypasses utilizing vulnerabilities in Microsoft's WDAPT sensors.
Go
294
star
10

InsecureShop

An Intentionally designed Vulnerable Android Application built in Kotlin.
Kotlin
224
star
11

OSINT_Encyclopedia

Your go-to resource for all things OSINT
150
star
12

Microsoft365_devicePhish

A proof-of-concept script to conduct a phishing attack abusing Microsoft 365 OAuth Authorization Flow
Python
89
star
13

blemon

Universal BLE Monitoring with Frida (or Objection)
JavaScript
85
star
14

rest-api-goat

Python
62
star
15

KnockKnock

Enumerate valid users within Microsoft Teams and OneDrive with clean output.
Python
58
star
16

rustyIron

rustyIron is a tool that takes advantage of functionality within Ivanti's MobileIron MDM solution to perform single-factor authentication attacks. rustyIron can locate the MobileIron MDM authentication endpoint, validate the authentication strategy of the environment, perform user enumeration, brute-force registration PIN values, and perform single-factor authentication attacks.
Go
45
star
17

airCross

airCross is a tool that takes advantage of API functionality within VMWare's AirWatch MDM solution to perform single-factor authentication attacks. airCross can locate AirWatch authentication endpoint, validate the authentication strategy of the environment, collect GroupID authentication values, conduct single-factor authentication, and perform user enumeration, in some instances.
Go
40
star
18

CVE-2020-15931

Netwrix Account Lockout Examiner 4.1 Domain Admin Account Credential Disclosure Vulnerability
Go
25
star
19

nvdsearch

A National Vulnerability Database (NVD) API query tool
Go
16
star
20

doppelganger

Doppelgänger is firmware that runs on ESP32 devices that can be embedded within commercially available RFID readers with the intent of capturing access control card data while performing physical security assessments. Doppelgänger keeps the operator's ease of access, maintenance, and operational communications in mind.
C++
13
star
21

DATP_Queries

Microsoft Defender ATP Advanced Hunting Queries
11
star
22

Yara-Rules

YARA
10
star
23

netneedle

Network based steganography based control channels and chat.
C
10
star
24

showSSID

Python
9
star
25

Luhn-Calculator

A very simple Burp extension to make it easier to enumerate credit cards in the Intruder.
Python
7
star
26

burp-reset-a-tron

reset-a-tron Burp extension
Python
7
star
27

burp-IBM-WebSphere-Portlet-Decoder

BurpSuite plugin for decoding IBM WebSphere Portlet States
Python
6
star
28

burp-java-deserializer

Java
5
star
29

android-ndk-crackme

A simple NDK-based application on which to demonstrate some important attack strategies.
Java
5
star
30

warmap-go

CSS
5
star
31

VisualLockPickingWorkstation

The Visual Lock Picking Workstation is a Raspberry Pi enclosure which makes it possible to capture live video from a cutaway lock. It is intended as an instructional device which can be used to display the inner workings of a lock while teaching lock picking.
5
star
32

burpshellshock

Shellshock scanner for Apache MOD_CGI
Java
4
star
33

talus

Python
4
star
34

azure_runbooks

3
star
35

talus_client

Python
3
star
36

checkpassword-.net

HIBP Pwned Passwords API Client for .NET apps
C#
3
star
37

checkpassword-java

HIBP Pwned Passwords API client for Java projects
Java
3
star
38

Lightning-Action-Editor

Java
2
star
39

pyautoaws

Simple Python wrapper for Terraform/Ansible to build AWS resources
HCL
2
star
40

azure-api-management-tracing-helper

Java
2
star
41

captcha-solve

Python
2
star
42

terraform-eks

Terraform/Amazon EKS Deployment Starter Scripts
HCL
1
star