search

rabbitstack / fibratus

Adversary tradecraft detection, protection, and hunting
https://www.fibratus.io
Other
2.21k stars 189 forks source link

Fibratus doesn't log some of the registry operations #246

Closed subvert0r closed 5 months ago

subvert0r commented 8 months ago

Steps to reproduce : 

1. Install Fibratus and execute Fibratus run (optionally capture output somewhere) (Windows 10 x64)
2. Download this LSASS dumper : https://github.com/tastypepperoni/PPLBlade/releases/download/v1.0/PPLBlade.exe
(Note: Defender detects PPLBlade.exe as malicious because of dumping lsass so execute it with caution inside a VM)
3. Run PPLBlade.exe --mode dothatlsassthing

PPLBlade creates a service (and deletes it very quick after loading the driver) which causes services.exe to set values related to service creation in HKLM\System\CurrentControlSet\Services\PPLBlade

When logging RegSetValues with Procmon, I can see that for example services.exe creates the ImagePath value under that registry path and does a RegSetValue for setting it's value, but Fibratus doesnt log this. Ran it many times, all failed.

Overall It seems like Fibratus does miss a lot of RegSetValues, could this be a limitation of ETW which Fibratus is using to log registry writes? I have tweaked with ETW kernel trace and user trace for registry operations before, and remember that sometimes it only provided partial registry path in some registry events, could this be the reason fibratus is missing some registry operations altogether?

rabbitstack commented 8 months ago

Hi @subvert0r ,

Thanks for raising this issue. Under which circumstances do you observe lost events, i.e. rule context or when setting the filter with both event type and registry key name conditions?

I would be happy to jump in and triage this. ETW keeps a series of session buffers. Events may be lost if all buffers are full and the consumer can't keep up with the event rate. Also mind, events may arrive with a certain amount of delay (30s or more).

I'm have already invested some time to improve the response speed. Starting from 2.2.0, system providers will be able to run in its own session as per https://github.com/rabbitstack/fibratus/pull/245. Initial testing is revealing one second granularity alerts originated by runtime rules. For example, trying to dump LSASS memory, triggers the respective rule immediately.

rabbitstack commented 7 months ago

Hey @subvert0r ,

Did you have a chance to follow up with this?