A Customizable Dropper Tool targeting Windows.
Disadv: If threads are resumed, all events that occurred during the suspension of Event Logger, get logged Again!
So, thought of killing them instead!
"It's more Invasive than suspension, but the decision is always up to the operator. Besides, killing threads get logged on the kernel level" - @SEKTOR7net
1.
Directly via VS compiler:
./compile.bat
PS C:> .\x64\Release\indirect.exe
[!] Wrong!
[->] Syntax: .\x64\Release\indirect.exe <PPID to spoof>
https://github.com/reveng007/DarkWidow/assets/61424547/62a90c5b-84af-4389-8ddc-9f7926debdcf
TIB:
GS and FS register:
PEB LDR structure:
BlackHat - What Malware Authors Don't Want You to Know - Evasive Hollow Process Injection by @monnappa22
A pic of process Memory from the Above link:\
From labs.cognisys.group, a blog by @D1rkMtr
:\
TIB -> TEB -> PEB -> Resolve Nt API and API hashing
https://stackoverflow.com/questions/41277888/iterating-over-peb-dllname-shows-only-exe-name
https://doxygen.reactos.org/d7/d55/ldrapi_8c_source.html#l01124
labs.cognisys.group, a blog by @D1rkMtr
A pic of the snippet from the above link, which I used here to resolve API dynamically without HardCoding Offsets:\
The Api hashing code that I applied:
DWORD64 djb2(const char* str) { DWORD64 dwHash = 0x7734773477347734; int c;
while (c = *str++)
dwHash = ((dwHash << 0x5) + dwHash) + c;
return dwHash;
}
int main(int argc, char** argv)
{
if (argc < 2)
{
printf("[!] Wrong!\n");
printf("[->] Syntax: .\%s
const char* string = argv[1];
DWORD64 hashvalue = djb2(string);
printf("Hash Value: 0x%llX\n", hashvalue);
return 0;
}
5. ACG(Arbitrary Code Guard)/BlockDll mitigation policy:
- links:
- [Protecting Your Malware](https://blog.xpnsec.com/protecting-your-malware/) by [@_xpn_](https://twitter.com/_xpn_)
- [Wraith](https://github.com/reveng007/AQUARMOURY/blob/1923e65190875f7c61c76fb430d526e5deaa062a/Wraith/Src/Injector.h) by [@winterknife](https://twitter.com/_winterknife_)
- [spawn](https://github.com/boku7/spawn) and [HOLLOW](https://github.com/boku7/HOLLOW) by [@0xBoku](https://twitter.com/0xBoku)
![alt text](https://github.com/reveng007/DarkWidow/blob/main/img/4.png)
6. PPID Spoofing Detection:
- [PPID Spoofing Detect](https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing) by [@spotheplanet](https://twitter.com/spotheplanet)
- If got time, I will be adding a detection Portion to this portion! -> _[Remaining..............................................!]_
7. Moneta Detection and PESieve Detection:\
- **Moneta**:\
![alt text](https://github.com/reveng007/DarkWidow/blob/main/img/5.png)
- **PESieve**:\
![alt text](https://github.com/reveng007/DarkWidow/blob/main/img/6.png)
8. Capa Scan:\
![alt text](https://github.com/reveng007/DarkWidow/blob/main/img/7.png)
9. How Thread Stack Looks of the Implant Process:
| Implant Process | Legit Cmd process |
| ---------------- | ---------------- |
| ![alt text](https://github.com/reveng007/DarkWidow/blob/main/img/8.png) | ![alt text](https://github.com/reveng007/DarkWidow/blob/main/img/9.png) |
> **It follows that by executing the return instruction in the memory of the ntdll.dll in the indirect syscall POC, the return address can be successfully spoofed, the ntdll.dll can be placed at the top of the call stack and the EDR will interpret a higher legitimacy.** - [@VirtualAllocEx](https://twitter.com/VirtualAllocEx) from [DirectSyscall Vs Indirect Syscall](https://redops.at/blog/direct-syscalls-vs-indirect-syscalls)\
Also thanks to, [@peterwintrsmith](https://twitter.com/peterwintrsmith)!
10. Instrumentation CallBack Evasion: Used this [POC - syscall-detect](https://github.com/jackullrich/syscall-detect) by [winternl_t](https://twitter.com/winternl_t)
![image](https://github.com/reveng007/DarkWidow/assets/61424547/2869180b-a0fe-416a-95b3-c4b81565aa8f)
11. EventLogger Config, I used:
![alt text](https://github.com/reveng007/DarkWidow/blob/main/img/10.png)
![alt text](https://github.com/reveng007/DarkWidow/blob/main/img/11.jpg)
13. Setting SeDebugPrivilege:\
**From** Here:
![alt text](https://github.com/reveng007/DarkWidow/blob/main/img/11.png)
**To** Here:
![alt text](https://github.com/reveng007/DarkWidow/blob/main/img/12.png)
14. Killing Event Log Threads:
- [rto-win-evasion](https://institute.sektor7.net/rto-win-evasion) by [@SEKTOR7net](https://twitter.com/Sektor7Net)
- [Phant0m](https://github.com/hlldz/Phant0m) by [@hlldz](https://twitter.com/hlldz)
- [Goblin](https://github.com/reveng007/AQUARMOURY/blob/master/Goblin/Src/EventLog.h) by [@winterknife](https://twitter.com/_winterknife_)
- [disabling-windows-event-logs-by-suspending-eventlog-service-threads](https://www.ired.team/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog-service-threads) by [@spotheplanet](https://twitter.com/spotheplanet)\
**From** here:\
![alt text](https://github.com/reveng007/DarkWidow/blob/main/img/13.png)\
**To** here:\
![alt text](https://github.com/reveng007/DarkWidow/blob/main/img/14.png)
- **This Method, Ended up causing errors in indirect syscall implementation. So, I ended up killing all those threads present within responsible svchost.exe** (reason: [Go up](https://github.com/reveng007/DarkWidow/edit/main/README.md#bonus-if-blessed-with-admin-privilege-)).
### Sophos XDR Event Loging Scenario:
1. Case 1: When Darkwidow executed under normal privilege
![image](https://github.com/reveng007/DarkWidow/assets/61424547/4a2c3dde-7eac-4828-a0be-90f7427c1d65)
> No Critical Alerts gets created except One Low Severity Log!
2. Case 2: When Darkwidow executed under Admin privilege
![image](https://github.com/reveng007/DarkWidow/assets/61424547/4e6c84b6-0cb2-47d2-b74a-1b01b9126299)
> One Low Severity Log => APC Injection (Like Before)
![image](https://github.com/reveng007/DarkWidow/assets/61424547/89924920-3766-4395-a186-6705cf7e84d3)
> Another one which is a Medium Severity Log occured for setting `SeDebugPrivilege`.
![image](https://github.com/reveng007/DarkWidow/assets/61424547/7a36d21e-559c-40c5-985b-cdd22eda204e)
# DarkWidow V2:
#### To get around this Event Logging Detection, I added the concept of `Synthetic Frame Thread Stack Spoofing` into it.
This is how stack looks after applying synthetic frame thread stack spoofing.
![image](https://github.com/reveng007/DarkWidow/assets/61424547/9d978a9d-ee01-4379-9bc6-87caa37e5255)
> This is the NT api Thread Stack
![image](https://github.com/reveng007/DarkWidow/assets/61424547/b9c24f7e-abfb-4f5e-89b5-35225d49d53d)
> This is the shellcode (btw, this is not custom made, this is Havoc Shellcode :)) thread stack.
For shellcode development, I have used havoc and this below configuration:
![image](https://github.com/reveng007/DarkWidow/assets/61424547/f17ae8ba-205e-41fa-b144-b81305fe29eb)
### NOTE:
Newly Created Thread Start Address Spoofing was not really required in this project cause within APC Injection technique, APC hijacks the execution of an already and legit running thread. Thanks to [@C5pider](https://twitter.com/C5pider)!
### Demo Execution Pic:
![1708744707672](https://github.com/reveng007/DarkWidow/assets/61424547/0ab56b7c-9365-4837-95e4-f172cbab8e61)
### Demo Video against Sophos XDR:
[![Demo Video Youtube Link](https://img.youtube.com/vi/HqtXD3CJg9k/0.jpg)](https://www.youtube.com/watch?v=HqtXD3CJg9k)
Now Status On Event Logs ?
![image](https://github.com/reveng007/DarkWidow/assets/61424547/375e8d6d-ac45-4959-bfb9-bc0fdc71f0ed)
> No logs got generated.
> I also have removed the Event Logger Killing part from the DarkWidow V2, which decreases down the Event generation too!
### My BlackHat Arsenal Demo Video can be found in here:
[![Demo Video Youtube Link](https://img.youtube.com/vi/1mserrlZHEE/0.jpg)](https://www.youtube.com/watch?v=1mserrlZHEE)
### Future Updates to this:
1. Porting this version to C++ Clang Compiler, which would help us to perform LLVM obfuscation.
2. Upgrading to NtCreateUserProcess() to perform indirect syscall and stack spoofing.
3. Applying Manual Load Library capability for bypassing Image Load Kernel Callbacks.
4. Applying Module Stomping capability.
5. Encrypted shellcode Injection to avoid Kernel triggered memory scans ([Caro-Kann](https://github.com/S3cur3Th1sSh1t/Caro-Kann)).
### Major Thanks for helping me out (Directly/indirectly (pun NOT intended :))):
1. [@SEKTOR7net](https://twitter.com/Sektor7Net)
2. [@peterwintrsmith](https://twitter.com/peterwintrsmith)
3. [@Jean_Maes_1994](https://twitter.com/Jean_Maes_1994)
4. [@D1rkMtr](https://twitter.com/D1rkMtr)
5. [@spotheplanet](https://twitter.com/spotheplanet)
6. [@0xBoku](https://twitter.com/0xBoku)
7. [@Sh0ckFR](https://twitter.com/Sh0ckFR)
8. [@winterknife](https://twitter.com/_winterknife_)
9. [@monnappa22](https://twitter.com/monnappa22)
10. [@_xpn_](https://twitter.com/_xpn_)
11. [@hlldz](https://twitter.com/hlldz)
12. [@d_tranman](https://twitter.com/d_tranman)
13. [@SoumyadeepBas12](https://twitter.com/SoumyadeepBas12)
14. [@jack_halon](https://twitter.com/jack_halon)
15. [@KlezVirus](https://twitter.com/KlezVirus)
16. [@C5pider](https://twitter.com/C5pider)
I hope I didn't miss someone!
### This project is a part of my journey to learn about EDR World! => [Learning-EDR-and-EDR_Evasion](https://github.com/reveng007/Learning-EDR-and-EDR_Evasion)