DarkWidow

This is a Dropper/PostExploitation Tool (or can be used in both situations) targeting Windows.

Capabilities:

1. Indirect Dynamic Syscall
2. SSN + Syscall address sorting via Modified TartarusGate approach
3. Remote Process Injection via APC Early Bird (MITRE ATT&CK TTP: T1055.004)
4. Spawns a sacrificial Process as the target process
5. ACG(Arbitrary Code Guard)/BlockDll mitigation policy on spawned process
6. PPID spoofing (MITRE ATT&CK TTP: T1134.004)
7. Api resolving from TIB (Directly via offset (from TIB) -> TEB -> PEB -> resolve Nt Api) (MITRE ATT&CK TTP: T1106)
8. Cursed Nt API hashing

Bonus: If blessed with Admin privilege =>

1. Disables Event Log via killing EventLog Service Threads (MITRE ATT&CK TTP: T1562.002)

Disadv: If threads are resumed, all events that occurred during the suspension of Event Logger, get logged Again!

So, thought of killing them instead!

"It's more Invasive than suspension, but the decision is always up to the operator. Besides, killing threads get logged on the kernel level" - @SEKTOR7net

While Killing only those threads in the indirect syscall implant, was facing an error. I was unable to get the "eventlog" SubProcessTag Value. So thought of killing all threads, i.e. killing the whole process (responsible svchost.exe). Yeah creating an IOC!.

= EDR/Ring-3/UserLand hook Bypass!

Compile:

Directly via VS compiler:

Also add /MT compiler flag! => To statically links CRT functions together in a binary (Yeah, U guessed it, it bloats the implant)

2. Also via compile.bat (prefer option 1.)

./compile.bat

Usage:

PS C:> .\x64\Release\indirect.exe
[!] Wrong!
[->] Syntax: .\x64\Release\indirect.exe <PPID to spoof>

In Action:

Sofos XDR Bypass:

Further Improvements:

1. PPID spoofing (Emotet method)
2. Much Stealthier Use Case of EventLog Disabling!

Portions of the Code and links those helped:

1. TIB:

   • https://en.wikipedia.org/wiki/Win32_Thread_Information_Block
   • https://www.wikiwand.com/en/Win32_Thread_Information_Block

2. GS and FS register:

   • https://stackoverflow.com/questions/39137043/what-is-the-gs-register-used-for-on-windows
   • https://stackoverflow.com/questions/10810203/what-is-the-fs-gs-register-intended-for#:~:text=The%20registers%20FS%20and%20GS,to%20access%20thread%2Dspecific%20memory.

3. PEB LDR structure:

   • BlackHat - What Malware Authors Don't Want You to Know - Evasive Hollow Process Injection by @monnappa22

   • A pic of process Memory from the Above link:
     

   • From labs.cognisys.group, a blog by @D1rkMtr :
     

4. TIB -> TEB -> PEB -> Resolve Nt API and API hashing

   • https://stackoverflow.com/questions/41277888/iterating-over-peb-dllname-shows-only-exe-name

   • https://doxygen.reactos.org/d7/d55/ldrapi_8c_source.html#l01124

   • labs.cognisys.group, a blog by @D1rkMtr

   • A pic of the snippet from the above link, which I used here to resolve API dynamically without HardCoding Offsets:
     

   • The Api hashing Script that I have Used:

def create_hash(input_string):
    # Initialize the hash value to zero
    hash_value = 0

    # Iterate through each character in the input string
    for char in input_string:
        # Add the ASCII value of the character to the hash_value
        hash_value += ord(char)

    return hash_value

if __name__ == "__main__":
    input_string = input("Enter the string to hash: ")
    hashed_value = create_hash(input_string)
    print("Hash:", hashed_value)

5. ACG(Arbitrary Code Guard)/BlockDll mitigation policy:

   • links:
   • Protecting Your Malware by @xpn
   • Wraith by @winterknife
   • spawn and HOLLOW by @0xBoku

6. PPID Spoofing Detection:

   • PPID Spoofing Detect by @spotheplanet
   • If got time, I will be adding a detection Portion to this portion! -> [Remaining..............................................!]

7. Moneta Detection and PESieve Detection:\

   • Moneta:
     

   • PESieve:
     

8. Capa Scan:
   

9. How Thread Stack Looks of the Implant Process:

Implant Process	Legit Cmd process

It follows that by executing the return instruction in the memory of the ntdll.dll in the indirect syscall POC, the return address can be successfully spoofed, the ntdll.dll can be placed at the top of the call stack and the EDR will interpret a higher legitimacy. - @VirtualAllocEx from DirectSyscall Vs Indirect Syscall
Also thanks to, @peterwintrsmith!

10. EventLogger Config, I used:

11. Setting SeDebugPrivilege:
    From Here: To Here:

12. Killing Event Log Threads:

    • rto-win-evasion by @SEKTOR7net
    • Phant0m by @hlldz
    • Goblin by @winterknife
    • disabling-windows-event-logs-by-suspending-eventlog-service-threads by @spotheplanet
      From here:
      
      To here:
      
    • This Method, Ended up causing errors in indirect syscall implementation. So, I ended up killing all those threads present within responsible svchost.exe (reason: Go up).

Major Thanks for helping me out (Directly/indirectly (pun NOT intended :))):

1. @SEKTOR7net
2. @peterwintrsmith
3. @Jean_Maes_1994
4. @D1rkMtr
5. @spotheplanet
6. @0xBoku
7. @Sh0ckFR
8. @winterknife
9. @monnappa22
10. @xpn
11. @hlldz

I hope I didn't miss someone!

This project is a part of my journey to learn about EDR World! => Learning-EDR-and-EDR_Evasion