Open david74552 opened 8 years ago
write a driver to hide the "python.exe" process?
@certau-davidg Although you address a valid point here, it's not just the Agent, but also the Analyzer. Porting this another language is, to say the least, non-trivial. We have some other approaches in mind though, such as the one mentioned by @shellbombs, so please stay tuned.
You could integrate with ZeroMon with cuckoo 2.0 as instructions are there https://github.com/conix-security/zer0m0n (it is easy to integrate, fully written for cuckoo 2.0 and I believe it is going to be added into main branch anyway).
This will get you by for now though. Of course there is differences, signatures may not behave right, you may be missing features etc but still if you run into malware doing this you can run the zeromon analysis and do a stealthier analysis (assuming outside of usual VM/sandbox detection methods). From their documentation (this may be old, I don't know what is hidden now):
A: For now, several processes are hidden/blocked, by pid filtering:
Adding the following 2 signatures also will help you identify when malware is potentially doing this so you can then try using zeromon:
Searching for process not found: https://raw.githubusercontent.com/kevross33/community/ecac8b90801f8a378a1b7d491941ab5af632b285/modules/signatures/windows/process_needed.py Expressing interest in process: https://raw.githubusercontent.com/kevross33/community/5884ab3cdaf84a989f829a87c2378d615595b6e8/modules/signatures/windows/process_interest.py
Yeah, I'm working on that, although I'll be rewriting a fair bit from zer0m0n :-)
Nice. I have been using zer0m0n anyway so looking forward to it being included by default. Will there be a possibility also included for rootkit dynamic analysis (outside of volatility but in behavior logs) from this integration and monitoring? These are good reads on the subject.
http://labs.lastline.com/high-resolution-dynamic-analysis-of-windows-kernel-rootkits http://labs.lastline.com/unmasking-kernel-exploits
On 5 September 2016 at 14:41, Jurriaan Bremer notifications@github.com wrote:
Yeah, I'm working on that, although I'll be rewriting a fair bit from zer0m0n :-)
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/cuckoo/issues/1014#issuecomment-244749710, or mute the thread https://github.com/notifications/unsubscribe-auth/ACTXtUdvMi5gZy8OP1mVCJkQ2PYKmiPPks5qnBwLgaJpZM4JPXht .
Can you please investigate how difficult it would be to port agent.py over to a native windows scripting language such as Powershell or vbScript?
Malware such as Furtim/SFG now attempts to look for running instances of Python as well as other sandbox artefacts. While we can patch out most of these artefacts, cuckoo requires the python based agent to complete analysis.
It is my understanding that Microsoft is encouraging system administrators to move away from non-native (i.e. python/perl) scripting languages and use native (i.e. powershell/WMI/vbScript) scripting languages instead. In the near future, a python installation on a desktop environment may look out of place to a malware author.
It would be nice if the cuckoo artefacts were as hard to detect as the malware we are attempt to analyse.
Further reading: https://sentinelone.com/blogs/sfg-furtims-parent/