tsale
commented
1 year ago Thanks @jdu2600, could you please provide some examples from the Elastic EDR events?
Open jdu2600 opened 1 year ago
tsale
commented
1 year ago Thanks @jdu2600, could you please provide some examples from the Elastic EDR events?
jdu2600
commented
1 year ago CreateThread = event.code: shellcode_thread and Memory_protection.self_injection:true
StartAddress = Target.process.thread.Ext.start_address
Parameter = Target.process.thread.Ext.parameter
ThreadId = Target.process.thread.id
Here's a sample event -
{
"@timestamp": "2023-04-21T08:20:56.0268971Z",
"Memory_protection": {
"cross_session": false,
"feature": "shellcode_thread",
"parent_to_child": false,
"self_injection": true,
"unique_key_v1": "7651b354339974912df0bd3ed916113ca5af76c1005178da137202f1dee79bdf"
},
"Target": {
"process": {
"Ext": {
"memory_region": {
"allocation_base": 12517376,
"allocation_protection": "RW-",
"allocation_size": 4194304,
"allocation_type": "PRIVATE",
"bytes_address": 12517376,
"bytes_allocation_offset": 0,
"memory_pe_detected": false,
"region_base": 15663104,
"region_protection": "R-X",
"region_size": 1048576,
"region_state": "COMMIT",
"strings": [
"This is a wchar string.",
"This is a char string."
]
},
"protection": "",
"token": {
"domain": "WINDOWS-DEV",
"elevation": true,
"elevation_type": "full",
"integrity_level_name": "high",
"sid": "S-1-5-21-808390715-165647297-874774755-1001",
"user": "johnu"
},
"user": "johnu"
},
"thread": {
"Ext": {
"call_stack": [
{
"instruction_pointer": 1999130752,
"memory_section": {
"memory_address": 1998655488,
"memory_size": 1187840,
"protection": "R-X"
},
"module_name": "ntdll.dll",
"module_path": "c:\\windows\\syswow64\\ntdll.dll",
"symbol_info": "c:\\windows\\syswow64\\ntdll.dll!RtlUserThreadStart+0x0"
}
],
"call_stack_summary": "ntdll.dll",
"parameter": 9605120,
"start_address": 15663104,
"start_address_allocation_offset": 3145728,
"start_address_bytes": "6a2a58c20400b8e0a19200c3558becff7514ff7510ff750cff7508e8e6ffffff",
"start_address_bytes_disasm": "push 0x2a\npop eax\nret 0x04\nmov eax, 0x92a1e0\nret\npush ebp\nmov ebp, esp\npush dword ptr [ebp+0x14]\npush dword ptr [ebp+0x10]\npush dword ptr [ebp+0x0c]\npush dword ptr [ebp+0x08]\ncall 0x00000006",
"start_address_bytes_disasm_hash": "b4ec8d454b20dfdaa22e9dd789d0e3fef62cc87cb01b88adca4cf776d7e34b55",
"start_address_module": "Unbacked"
},
"id": 12612
},
"uptime": 1
}
},
"agent": {
"id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
"type": "endpoint",
"version": "8.7.0"
},
"data_stream": {
"dataset": "endpoint.alerts",
"namespace": "default",
"type": "logs"
},
"ecs": {
"version": "1.11.0"
},
"elastic": {
"agent": {
"id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
}
},
"event": {
"action": "start",
"category": [
"malware",
"intrusion_detection"
],
"code": "shellcode_thread",
"created": "2023-04-21T08:20:56.0268971Z",
"dataset": "endpoint.alerts",
"id": "N274zo+Le+XQr7SX++++++RF",
"kind": "alert",
"module": "endpoint",
"outcome": "success",
"risk_score": 99,
"sequence": 1621,
"severity": 99,
"type": [
"info",
"denied"
]
},
"host": {
"architecture": "x86_64",
"hostname": "WINDOWS-DEV",
"id": "dabadaba-0000-0000-0000-000000000000",
"ip": [
"127.0.0.1"
],
"mac": [
"aa:bb:cc:dd:ee:ff"
],
"name": "WINDOWS-DEV",
"os": {
"Ext": {
"variant": "Windows 10 Pro"
},
"family": "windows",
"full": "Windows 10 Pro 21H2 (10.0.19044.2846)",
"kernel": "21H2 (10.0.19044.2846)",
"name": "Windows",
"platform": "windows",
"type": "windows",
"version": "21H2 (10.0.19044.2846)"
}
},
"message": "Memory Threat Prevention Alert: Shellcode Injection",
"process": {
"Ext": {
"ancestry": [
"YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTEzNzg4LTE2ODIwNjUxMTIuMjY5MjkzNzAw",
"YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTEwMjEyLTE2ODIwNjUxMTIuMjUxMjA3MDAw",
"YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTYyMTItMTY4MTcwODk1MC40MDg2NDk2MDA=",
"YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTMyNDAtMTY4MTI5MzM5Ny4xNjAzODQ3MDA="
],
"architecture": "x86",
"code_signature": [
{
"exists": false
}
],
"dll": [
{
"Ext": {
"code_signature": [
{
"exists": false
}
],
"mapped_address": 9502720,
"mapped_size": 122880
},
"code_signature": {
"exists": false
},
"hash": {
"md5": "b2d4e40a3ab592e7c0e5ed353ab85836",
"sha1": "7a7fbc6d0f4bdc225bfda2710611135aa79d9a6f",
"sha256": "c8fd1c0a2db5706798f0b2c9e64afb37e09465d7198d2ad8e47b5b288f526e64"
},
"name": "test_shellcode_thread.exe",
"path": "C:\\test_shellcode_thread.exe"
},
{
"Ext": {
"code_signature": [
{
"exists": true,
"status": "trusted",
"subject_name": "Microsoft Windows",
"trusted": true
}
],
"mapped_address": 140715743051776,
"mapped_size": 2064384
},
"code_signature": {
"exists": true,
"status": "trusted",
"subject_name": "Microsoft Windows",
"trusted": true
},
"hash": {
"md5": "821267661ab8ad7c9ad1d3d44debab08",
"sha1": "959735a57905cb6037af73cb29a4cf99fb5f95fe",
"sha256": "fdb2689bffabe7d2e300882ca1c3fc2fe24a998ffcbd5f48795c7d95712d1e98"
},
"name": "ntdll.dll",
"path": "C:\\Windows\\SYSTEM32\\ntdll.dll"
},
{
"Ext": {
"code_signature": [
{
"exists": true,
"status": "trusted",
"subject_name": "Microsoft Windows",
"trusted": true
}
],
"mapped_address": 140715731648512,
"mapped_size": 364544
},
"code_signature": {
"exists": true,
"status": "trusted",
"subject_name": "Microsoft Windows",
"trusted": true
},
"hash": {
"md5": "1e7b3d6ac48b07fb48cc0338c2f5681c",
"sha1": "67af32b8b2ed35f54efbd122ed864d79986c331f",
"sha256": "ffacd54cbb38ccdbc25804a2533fa3771f384a0fd8e5469efad4dfaa1ce923b1"
},
"name": "wow64.dll",
"path": "C:\\Windows\\System32\\wow64.dll"
},
{
"Ext": {
"code_signature": [
{
"exists": true,
"status": "trusted",
"subject_name": "Microsoft Windows",
"trusted": true
}
],
"mapped_address": 140715714084864,
"mapped_size": 536576
},
"code_signature": {
"exists": true,
"status": "trusted",
"subject_name": "Microsoft Windows",
"trusted": true
},
"hash": {
"md5": "28a6f8bc61c5a72df6343faaf2b1b056",
"sha1": "13ef8ccac99ef9560acd7061b24fd39da0faf891",
"sha256": "2fac8cc3653c2e9747864417c65ea02745f5653c3608fc115ad756199ab22bc0"
},
"name": "wow64win.dll",
"path": "C:\\Windows\\System32\\wow64win.dll"
},
{
"Ext": {
"code_signature": [
{
"exists": true,
"status": "trusted",
"subject_name": "Microsoft Windows",
"trusted": true
}
],
"mapped_address": 1998585856,
"mapped_size": 40960
},
"code_signature": {
"exists": true,
"status": "trusted",
"subject_name": "Microsoft Windows",
"trusted": true
},
"hash": {
"md5": "5184b7fd218777571abcb3e0319f48c6",
"sha1": "4874200ab74ef5a4a583f1fd70f5ae866d3b8b63",
"sha256": "730ac79cc90b35ea9153eae399313f10fc55b6debed7e93d429fbc9d7de5ef19"
},
"name": "wow64cpu.dll",
"path": "C:\\Windows\\System32\\wow64cpu.dll"
},
{
"Ext": {
"code_signature": [
{
"exists": false
}
],
"mapped_address": 9502720,
"mapped_size": 122880
},
"code_signature": {
"exists": false
},
"hash": {
"md5": "b2d4e40a3ab592e7c0e5ed353ab85836",
"sha1": "7a7fbc6d0f4bdc225bfda2710611135aa79d9a6f",
"sha256": "c8fd1c0a2db5706798f0b2c9e64afb37e09465d7198d2ad8e47b5b288f526e64"
},
"name": "test_shellcode_thread.exe",
"path": "C:\\test_shellcode_thread.exe"
},
{
"Ext": {
"code_signature": [
{
"exists": true,
"status": "trusted",
"subject_name": "Microsoft Windows",
"trusted": true
}
],
"mapped_address": 1998651392,
"mapped_size": 1720320
},
"code_signature": {
"exists": true,
"status": "trusted",
"subject_name": "Microsoft Windows",
"trusted": true
},
"hash": {
"md5": "ba505d57c0fb729d0df912a8c443adb5",
"sha1": "c61f28dd2aa388e19feef2e81d391a76229b8c44",
"sha256": "d43f5ed957292bb8a6a69f1c4fff812976f70852872d85ae9820a762343c5f46"
},
"name": "ntdll.dll",
"path": "C:\\Windows\\SysWOW64\\ntdll.dll"
},
{
"Ext": {
"code_signature": [
{
"exists": true,
"status": "trusted",
"subject_name": "Microsoft Windows",
"trusted": true
}
],
"mapped_address": 1976434688,
"mapped_size": 983040
},
"code_signature": {
"exists": true,
"status": "trusted",
"subject_name": "Microsoft Windows",
"trusted": true
},
"hash": {
"md5": "c5f4b80bd0423a8949db62bfca3ed178",
"sha1": "e86c6b7507939f90d263e0ea05ac3c36845fc3a4",
"sha256": "2ba6ca6f0c5ce8423bd5d10cc6a99af16c7d4ee6a93201f7101d9d82e6452d30"
},
"name": "KERNEL32.DLL",
"path": "C:\\Windows\\SysWOW64\\KERNEL32.DLL"
},
{
"Ext": {
"code_signature": [
{
"exists": true,
"status": "trusted",
"subject_name": "Microsoft Windows",
"trusted": true
}
],
"mapped_address": 1965948928,
"mapped_size": 2240512
},
"code_signature": {
"exists": true,
"status": "trusted",
"subject_name": "Microsoft Windows",
"trusted": true
},
"hash": {
"md5": "b6b506c8a7e32c075a713f61bf832676",
"sha1": "87554d0323c40accc5ade2896535264b341766d9",
"sha256": "1e5fc12aa6644812f07a71df322bf9b7779deb7ce4e01db45f71cb87b2053d25"
},
"name": "KERNELBASE.dll",
"path": "C:\\Windows\\SysWOW64\\KERNELBASE.dll"
}
],
"protection": "",
"token": {
"domain": "WINDOWS-DEV",
"elevation": true,
"elevation_type": "full",
"integrity_level_name": "high",
"sid": "S-1-5-21-808390715-165647297-874774755-1001",
"user": "johnu"
},
"user": "johnu"
},
"args": [
"C:\\test_shellcode_thread.exe"
],
"args_count": 1,
"code_signature": {
"exists": false
},
"command_line": "C:\\test_shellcode_thread.exe",
"entity_id": "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTE5MTE2LTE2ODIwNjUyNTUuOTk4MTAyMjAw",
"executable": "C:\\test_shellcode_thread.exe",
"hash": {
"md5": "b2d4e40a3ab592e7c0e5ed353ab85836",
"sha1": "7a7fbc6d0f4bdc225bfda2710611135aa79d9a6f",
"sha256": "c8fd1c0a2db5706798f0b2c9e64afb37e09465d7198d2ad8e47b5b288f526e64"
},
"name": "test_shellcode_thread.exe",
"parent": {
"Ext": {
"architecture": "x86_64",
"code_signature": [
{
"exists": true,
"status": "trusted",
"subject_name": "Python Software Foundation",
"trusted": true
}
],
"protection": "",
"user": "johnu"
},
"args": [
"C:\\Program Files\\Python39\\python.exe"
],
"args_count": 6,
"code_signature": {
"exists": true,
"status": "trusted",
"subject_name": "Python Software Foundation",
"trusted": true
},
"command_line": "\"C:\\Program Files\\Python39\\python.exe\"",
"entity_id": "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTEzNzg4LTE2ODIwNjUxMTIuMjY5MjkzNzAw",
"executable": "C:\\Program Files\\Python39\\python.exe",
"hash": {
"md5": "3412d601e0fab94e2360f57e62f7cbba",
"sha1": "ddfd60ea7fad94ab091c5baf4b0085ea5ce38e35",
"sha256": "bbb3b40c1eb203be1068e882708f1353c2b41ec166746db01375885cb25ff7c1"
},
"name": "python.exe",
"pid": 13788,
"ppid": 10212,
"start": "2023-04-21T08:18:32.2692937Z",
"uptime": 144
},
"pe": {},
"pid": 19116,
"ppid": 13788,
"start": "2023-04-21T08:20:55.9981022Z",
"thread": {
"Ext": {
"call_stack": [
{
"instruction_pointer": 1999121116,
"memory_section": {
"memory_address": 1998655488,
"memory_size": 1187840,
"protection": "R-X"
},
"module_name": "ntdll.dll",
"module_path": "c:\\windows\\syswow64\\ntdll.dll",
"symbol_info": "c:\\windows\\syswow64\\ntdll.dll!NtWaitForSingleObject+0xc"
},
{
"instruction_pointer": 1967080857,
"memory_section": {
"memory_address": 1967079424,
"memory_size": 860160,
"protection": "R-X"
},
"module_name": "kernelbase.dll",
"module_path": "c:\\windows\\syswow64\\kernelbase.dll",
"symbol_info": "c:\\windows\\syswow64\\kernelbase.dll!WaitForSingleObjectEx+0x99"
},
{
"instruction_pointer": 1967080690,
"memory_section": {
"memory_address": 1965953024,
"memory_size": 1986560,
"protection": "R-X"
},
"module_name": "kernelbase.dll",
"module_path": "c:\\windows\\syswow64\\kernelbase.dll",
"symbol_info": "c:\\windows\\syswow64\\kernelbase.dll!WaitForSingleObject+0x12"
},
{
"instruction_pointer": 9507414,
"memory_section": {
"memory_address": 9506816,
"memory_size": 69632,
"protection": "R-X"
},
"module_name": "test_shellcode_thread.exe",
"module_path": "C:\\test_shellcode_thread.exe",
"symbol_info": "C:\\test_shellcode_thread.exe!0x911256"
},
{
"instruction_pointer": 9508208,
"memory_section": {
"memory_address": 9506816,
"memory_size": 69632,
"protection": "R-X"
},
"module_name": "test_shellcode_thread.exe",
"module_path": "C:\\test_shellcode_thread.exe",
"symbol_info": "C:\\test_shellcode_thread.exe!0x911570"
},
{
"instruction_pointer": 9508718,
"memory_section": {
"memory_address": 9506816,
"memory_size": 69632,
"protection": "R-X"
},
"module_name": "test_shellcode_thread.exe",
"module_path": "C:\\test_shellcode_thread.exe",
"symbol_info": "C:\\test_shellcode_thread.exe!0x91176E"
},
{
"instruction_pointer": 1976565913,
"memory_section": {
"memory_address": 1976500224,
"memory_size": 417792,
"protection": "R-X"
},
"module_name": "kernel32.dll",
"module_path": "c:\\windows\\syswow64\\kernel32.dll",
"symbol_info": "c:\\windows\\syswow64\\kernel32.dll!BaseThreadInitThunk+0x19"
},
{
"instruction_pointer": 1999076206,
"memory_section": {
"memory_address": 1998655488,
"memory_size": 1187840,
"protection": "R-X"
},
"module_name": "ntdll.dll",
"module_path": "c:\\windows\\syswow64\\ntdll.dll",
"symbol_info": "c:\\windows\\syswow64\\ntdll.dll!RtlGetAppContainerNamedObjectPath+0x11e"
},
{
"instruction_pointer": 1999076158,
"memory_section": {
"memory_address": 1998655488,
"memory_size": 1187840,
"protection": "R-X"
},
"module_name": "ntdll.dll",
"module_path": "c:\\windows\\syswow64\\ntdll.dll",
"symbol_info": "c:\\windows\\syswow64\\ntdll.dll!RtlGetAppContainerNamedObjectPath+0xee"
}
],
"call_stack_final_user_module": {
"code_signature": [
{
"exists": false
}
],
"hash": {
"sha256": "c8fd1c0a2db5706798f0b2c9e64afb37e09465d7198d2ad8e47b5b288f526e64"
},
"name": "test_shellcode_thread.exe",
"path": "C:\\test_shellcode_thread.exe"
},
"call_stack_summary": "ntdll.dll, kernelbase.dll, test_shellcode_thread.exe, kernel32.dll, ntdll.dll",
"start_address": 9508836,
"start_address_module": "C:\\test_shellcode_thread.exe"
},
"id": 22716
},
"uptime": 1
},
"rule": {
"ruleset": "production"
},
"user": {
"domain": "WINDOWS-DEV",
"name": "johnu"
}
}Thanks for that @jdu2600. I did have a look and I can confirm that, unlike what the article suggests, other EDR are also monitoring for this activity. Although it would be a good practise to track all different variations of thread activities, this can get out of hand very quickly. We are planning to include one more level to the current sub-categories. We could change the "Remote Thread Creation" to "Thread Activities" and include all variations. But that is just too much for this stage of the project. We can re-evaluate this then.
Thanks again for submitting the information and contributing to this project, appreciate it!
jdu2600
commented
1 year ago Noted.
Though perhaps the current category should be updated to Thread Creation now?
Sysmon would then have an 🟧 and each other vendor could be updated as appropriate?
tsale
commented
1 year ago Thanks for understanding. I re-opened this PR to consider the change for the sub-category name from "Remote Thread Creation" to "Thread Creation".
@jdu2600 - Could you please provide a justification as to why you would like Sysmon to have an "Partially Implemented" mark instead of a "Implemented"? This justification would have to make its way to the official notes for the main table.
@inodee - Any objections here for this change to the sub-category? Makes sense?
jdu2600
commented
1 year ago The sysmon documentation indicates that its Event ID 8 is Remote Thread Creation only - not Thread Creation more generally.
tsale
commented
1 year ago Good enough for me. For the record, difference explained here:
Thread creation refers to the process of creating a new thread within the same application or process. Remote thread creation, on the other hand, involves creating a new thread within a different process.
@jdu2600, could you please edit your proposed changes by only renaming the Sub-Category field to "Thread Creation" and change only the Sysmon value from "Yes" to "Partially"? Thanks!
jdu2600
commented
1 year ago Done.
Are we confident that Crowdstrike/LimaCharlie/MDE/S1/WatchGuard all monitor local thread creations?
tsale
commented
1 year ago Thanks. No, we will need to validate, I would not commit just yet. I also would like a second approver for this (@inodee)
@jdu2600 - Can you propose a testing method for this?
jdu2600
commented
1 year ago The simplest test would be to see if telemetry is generated for a local unbacked thread.
C++ snippet -
const char shellcode[] = { // return(42)
0xb8, 0x2a, 0x00, 0x00, 0x00, // mov eax, 42
0xc3 // ret
};
auto pRWX = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(pRWX, shellcode, sizeof(shellcode));
(void)CreateThread(NULL, 0, pRWX, NULL, 0, NULL);
inodee
commented
1 year ago It seems like we indeed need a dedicated cat for "Thread Activities"! Thanks @jdu2600 for your contribs! Yes, we need to validate/adjust the others.
Description
Thread Creation events (ideally via a
PsSetCreateThreadNotifyRoutinecallback) are a useful telemetry source.References - https://bruteratel.com/release/2022/11/17/Release-Resurgence/ "Several changes were also made to how a local thread was created following some detections from Elastic EDR, as unlike any other EDR, Elastic also monitors local threads."
Type of change