EDR Evasion

Detection labs:

Quick wins

• PPID spoofing -Parent child process relationship - very important

• Argue - use when running commands to confuse Blue Teams (see https://blog.xpnsec.com/how-to-argue-like-cobalt-strike)

• blockdlls start - Windows supports blocking 3rd party DLL except those run by Microsoft

Breaking Proces Ancestry:

Comproxies

SysMon:

Use the sysmon-configs that have been used below to try and identify potential injection areas: https://github.com/SwiftOnSecurity/sysmon-config https://github.com/ion-storm/sysmon-config https://github.com/olafhartong/sysmon-modular e.g. Event ID 1 - Process Injection:

Further down in the file we can see that "C:\Windows\system32\svchost.exe -k netsvcs" - this value can be set as our spawnto value

Event ID 2 - File Creation:

    <!-- Event ID 2 == File Creation Time - Excludes -->
    <RuleGroup groupRelation="or">
      <FileCreateTime onmatch="exclude">
        <Image condition="end with">AppData\Local\Google\Chrome\Application\chrome.exe</Image>
        <Image condition="end with">Root\VFS\ProgramFilesX86\Google\Chrome\Application\chrome.exe</Image>
        <Image condition="image">OneDrive.exe</Image>
        <Image condition="contains">setup</Image>
        <Image condition="end with">slack.exe</Image>
        <Image condition="end with">AppData\Local\Microsoft\Teams\current\Teams.exe</Image>
      </FileCreateTime>
    </RuleGroup>

Event ID 3 - Network Connection:

    <!-- Event ID 3 == Network Connection - Excludes -->
    <RuleGroup groupRelation="or">
      <NetworkConnect onmatch="exclude">
        <Image condition="end with">AppData\Roaming\Dropbox\bin\Dropbox.exe</Image>
        <Image condition="end with">winlogbeat.exe</Image>
        <Image condition="end with">packetbeat.exe</Image>
        <Image condition="image">OneDrive.exe</Image>
        <Image condition="image">OneDriveStandaloneUpdater.exe</Image>
        <Image condition="end with">ownCloud\owncloud.exe</Image>
        <Image condition="is">C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe</Image>
        <Image condition="is">C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe</Image>
        <Image condition="is">C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe</Image>
        <Image condition="is">C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe</Image>
        <Image condition="is">C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe</Image>
        <Image condition="is">C:\Program Files\Sophos\Sophos Network Threat Protection\bin\SntpService.exe</Image>
        <Image condition="end with">AppData\Roaming\Spotify\Spotify.exe</Image>
        <Image condition="end with">AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-ui.exe</Image>
        <Image condition="end with">AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-daemon.exe</Image>
        <DestinationHostname condition="end with">.windowsupdate.microsoft.com</DestinationHostname>
        <DestinationHostname condition="end with">.windowsupdate.com</DestinationHostname>
        <DestinationHostname condition="end with">wustat.windows.com</DestinationHostname>
        <DestinationHostname condition="end with">go.microsoft.com</DestinationHostname>
        <DestinationHostname condition="end with">.update.microsoft.com</DestinationHostname>
        <DestinationHostname condition="end with">download.microsoft.com</DestinationHostname>
        <DestinationHostname condition="end with">microsoft.com.akadns.net</DestinationHostname>
        <DestinationHostname condition="end with">microsoft.com.nsatc.net</DestinationHostname>
      </NetworkConnect>

Event ID 8: Create Remote Thread:

    <!-- Event ID 8 == CreateRemoteThread - Excludes -->
    <RuleGroup groupRelation="or">
      <!--Default to log all and exclude a few common processes-->
      <CreateRemoteThread onmatch="exclude">
        <SourceImage condition="is">C:\Windows\System32\svchost.exe</SourceImage>
        <SourceImage condition="is">C:\Windows\System32\wininit.exe</SourceImage>
        <SourceImage condition="is">C:\Windows\System32\csrss.exe</SourceImage>
        <SourceImage condition="is">C:\Windows\System32\services.exe</SourceImage>
        <SourceImage condition="is">C:\Windows\System32\winlogon.exe</SourceImage>
        <SourceImage condition="is">C:\Windows\System32\audiodg.exe</SourceImage>
        <Rule groupRelation="and">
          <SourceImage condition="is">C:\Windows\System32\dwm.exe</SourceImage>
          <TargetImage condition="is">C:\Windows\System32\csrss.exe</TargetImage>
        </Rule>
      
        <SourceImage condition="is">C:\Windows\System32\wbem\WmiPrvSE.exe</SourceImage>
      </CreateRemoteThread>
    </RuleGroup>

Event ID 10 - ProcessAccess:

    <!-- Event ID 10 == ProcessAccess - Excludes -->
    <RuleGroup groupRelation="or">
      <ProcessAccess onmatch="exclude">
        <SourceImage condition="contains all">C:\Users\;\AppData\Local\Citrix\ICA Client\receiver\Receiver.exe</SourceImage>
        <SourceImage condition="end with">wmiprvse.exe</SourceImage>
        <SourceImage condition="end with">GoogleUpdate.exe</SourceImage>
        <SourceImage condition="end with">LTSVC.exe</SourceImage>
        <SourceImage condition="end with">taskmgr.exe</SourceImage>
        <SourceImage condition="end with">VBoxService.exe</SourceImage>
        <SourceImage condition="end with">vmtoolsd.exe</SourceImage>
        <SourceImage condition="end with">\Citrix\System32\wfshell.exe</SourceImage>
        <SourceImage condition="is">C:\Windows\System32\lsm.exe</SourceImage>
        <SourceImage condition="end with">Microsoft.Identity.AadConnect.Health.AadSync.Host.exe</SourceImage>
        <SourceImage condition="begin with">C:\Program Files (x86)\Symantec\Symantec Endpoint Protection</SourceImage>
        <GrantedAccess>0x1000</GrantedAccess>
        <GrantedAccess>0x1400</GrantedAccess>
        <GrantedAccess>0x101400</GrantedAccess>
        <GrantedAccess>0x101000</GrantedAccess>
        <SourceImage condition="contains all">C:\Users\;\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe</SourceImage>
        <Rule groupRelation="and">
          <SourceImage condition="contains all">C:\Users\;\AppData\Local\Microsoft\Teams\current\Teams.exe</SourceImage>
          <TargetImage condition="contains all">C:\Users\;\AppData\Local\Microsoft\Teams\current\Teams.exe</TargetImage>
        </Rule>
        <SourceImage condition="contains all">C:\ProgramData\Microsoft\Windows Defender\Platform\;\MsMpEng.exe</SourceImage>
      </ProcessAccess>

Event ID 17-18 - PipeEvents:

Chrome creates a bunch of \\.\\pip\\mojo\\2212.2272.123123123123123 - maybe use that as default pipe

    <!-- Event ID 17,18 == PipeEvent. Log Named pipe created & Named pipe connected - Excludes -->
    <RuleGroup groupRelation="or">
      <PipeEvent onmatch="exclude">
        <Rule groupRelation="and">
          <Image condition="contains all"> C:\Users\;\AppData\Local\Programs\Call Manager\Call Manager.exe</Image>
          <PipeName condition="begin with">\crashpad_;\mojo.;\uv\</PipeName>
        </Rule>
        <Image condition="contains all">C:\Users\;\AppData\Local\Citrix\ICA Client\receiver\Receiver.exe</Image>
        <Image condition="contains all">C:\Users\;\AppData\Local\Citrix\ICA Client\SelfServicePlugin\SelfService.exe</Image>
        <Image condition="contains all">C:\Program Files;\FireEye\xagt\xagt.exe</Image>
        <Rule groupRelation="and">
          <Image condition="contains all">C:\Program Files;\Google\Chrome\Application\chrome.exe</Image>
          <PipeName condition="begin with">\mojo.</PipeName>
        </Rule>
        <Rule groupRelation="and">
          <Image condition="contains all">C:\Program Files;\Google\Chrome\Application\;\Installer\chrmstp.exe</Image>
          <PipeName condition="begin with">\crashpad_</PipeName>
        </Rule>
        <PipeName condition="begin with">\Vivisimo Velocity</PipeName>
        <Rule groupRelation="and">
          <Image condition="contains all">C:\Program Files;\Microsoft\Edge\Application\msedge.exe</Image>
          <PipeName condition="begin with">\LOCAL\mojo.</PipeName>
        </Rule>
        <Rule groupRelation="and">
          <Image condition="contains all">C:\Program Files;\Microsoft\Edge\Application\msedge.exe</Image>
          <PipeName condition="begin with">\LOCAL\chrome.sync.</PipeName>
        </Rule>
        <Rule groupRelation="and">
          <Image condition="contains all">C:\Program Files;\Microsoft\Edge\Application\msedge.exe</Image>
          <PipeName condition="begin with">\LOCAL\crashpad_</PipeName>
        </Rule>
        <Rule groupRelation="and">
          <Image condition="contains all">C:\Program Files;\Microsoft Office\root\Office16\OUTLOOK.EXE</Image>
          <PipeName condition="is">\MsFteWds</PipeName>
        </Rule>
        <Rule groupRelation="and">
          <Image condition="contains all">C:\Users\;\AppData\Local\Microsoft\Teams\current\Teams.exe</Image>
          <PipeName condition="begin with">\mojo.</PipeName>
        </Rule>
        <Rule groupRelation="and">
          <Image condition="contains all">C:\Users\;\AppData\Local\Microsoft\Teams\current\Teams.exe</Image>
          <PipeName condition="begin with">\chrome.sync.</PipeName>
        </Rule>
        <Rule groupRelation="and">
          <Image condition="contains all">C:\Program Files;\Mozilla Firefox\firefox.exe</Image>
          <PipeName condition="begin with">\cubeb-pipe-</PipeName>
        </Rule>
        <Rule groupRelation="and">
          <Image condition="contains all">C:\Program Files;\Mozilla Firefox\firefox.exe</Image>
          <PipeName condition="begin with">\chrome.</PipeName>
        </Rule>
        <Rule groupRelation="and">
          <Image condition="contains all">C:\Program Files;\Mozilla Firefox\firefox.exe</Image>
          <PipeName condition="begin with">\gecko-crash-server-pipe.</PipeName>
        </Rule>
        <PipeName condition="is">\SQLLocal\MSSQLSERVER</PipeName>
        <PipeName condition="is">\SQLLocal\INSTANCE01</PipeName>
        <PipeName condition="is">\SQLLocal\SQLEXPRESS</PipeName>
        <PipeName condition="is">\SQLLocal\COMMVAULT</PipeName>
        <PipeName condition="is">\SQLLocal\RTCLOCAL</PipeName>
        <PipeName condition="is">\SQLLocal\RTC</PipeName>
        <PipeName condition="is">\SQLLocal\TMSM</PipeName>
        <Image condition="is">Program Files (x86)\Microsoft SQL Server\110\DTS\binn\dtexec.exe</Image>
        <Image condition="end with">PostgreSQL\9.6\bin\postgres.exe</Image>
        <PipeName condition="contains">\pgsignal_</PipeName>
        <Image condition="is">Program Files\Qlik\Sense\Engine\Engine.exe</Image>
        <Image condition="contains all">C:\Program Files;\Qualys\QualysAgent\QualysAgent.exe</Image>
        <Image condition="end with">Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Image>
        <Image condition="end with">Program Files\SplunkUniversalForwarder\bin\splunk.exe</Image>
        <Image condition="end with">Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe</Image>
        <Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\CMAgent\OfcCMAgent.exe</Image>
        <Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\ofcservice.exe</Image>
        <Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Web\Service\DbServer.exe</Image>
        <Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\verconn.exe</Image>
        <Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\WEB_OSCE\WEB\CGI\cgiOnClose.exe</Image>
        <Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\WEB_OSCE\WEB\CGI\cgiRqHotFix.exe</Image>
        <Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\LWCS\LWCSService.exe</Image>
        <Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\WSS\iCRCService.exe</Image>
        <Image condition="end with">Program Files\Trend\SPROTECT\x64\tsc.exe</Image>
        <Image condition="end with">Program Files\Trend\SPROTECT\x64\tsc64.exe</Image>
        <Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\osceintegrationservice.exe</Image>
        <Image condition="end with">Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\OfcLogReceiverSvc.exe</Image>
        <PipeName condition="is">\Trend Micro OSCE Command Handler Manager</PipeName>
        <PipeName condition="is">\Trend Micro OSCE Command Handler2 Manager</PipeName>
        <PipeName condition="is">\Trend Micro Endpoint Encryption ToolBox Command Handler Manager</PipeName>
        <PipeName condition="is">\OfcServerNamePipe</PipeName>
        <PipeName condition="is">\ntapvsrq</PipeName>
        <PipeName condition="is">\srvsvc</PipeName>
        <PipeName condition="is">\wkssvc</PipeName>
        <PipeName condition="is">\lsass</PipeName>
        <PipeName condition="is">\winreg</PipeName>
        <PipeName condition="is">\spoolss</PipeName>
        <PipeName condition="contains">Anonymous Pipe</PipeName>
        <Image condition="is">c:\windows\system32\inetsrv\w3wp.exe</Image>
      </PipeEvent>
    </RuleGroup>

Event ID 19-21 - WMI Events:

/all logged

Data sources