Open jdu2600 opened 1 year ago
Thanks @jdu2600, could you please provide some examples from the Elastic EDR events?
CreateThread = event.code: shellcode_thread and Memory_protection.self_injection:true
StartAddress = Target.process.thread.Ext.start_address
Parameter = Target.process.thread.Ext.parameter
ThreadId = Target.process.thread.id
Here's a sample event -
{
"@timestamp": "2023-04-21T08:20:56.0268971Z",
"Memory_protection": {
"cross_session": false,
"feature": "shellcode_thread",
"parent_to_child": false,
"self_injection": true,
"unique_key_v1": "7651b354339974912df0bd3ed916113ca5af76c1005178da137202f1dee79bdf"
},
"Target": {
"process": {
"Ext": {
"memory_region": {
"allocation_base": 12517376,
"allocation_protection": "RW-",
"allocation_size": 4194304,
"allocation_type": "PRIVATE",
"bytes_address": 12517376,
"bytes_allocation_offset": 0,
"memory_pe_detected": false,
"region_base": 15663104,
"region_protection": "R-X",
"region_size": 1048576,
"region_state": "COMMIT",
"strings": [
"This is a wchar string.",
"This is a char string."
]
},
"protection": "",
"token": {
"domain": "WINDOWS-DEV",
"elevation": true,
"elevation_type": "full",
"integrity_level_name": "high",
"sid": "S-1-5-21-808390715-165647297-874774755-1001",
"user": "johnu"
},
"user": "johnu"
},
"thread": {
"Ext": {
"call_stack": [
{
"instruction_pointer": 1999130752,
"memory_section": {
"memory_address": 1998655488,
"memory_size": 1187840,
"protection": "R-X"
},
"module_name": "ntdll.dll",
"module_path": "c:\\windows\\syswow64\\ntdll.dll",
"symbol_info": "c:\\windows\\syswow64\\ntdll.dll!RtlUserThreadStart+0x0"
}
],
"call_stack_summary": "ntdll.dll",
"parameter": 9605120,
"start_address": 15663104,
"start_address_allocation_offset": 3145728,
"start_address_bytes": "6a2a58c20400b8e0a19200c3558becff7514ff7510ff750cff7508e8e6ffffff",
"start_address_bytes_disasm": "push 0x2a\npop eax\nret 0x04\nmov eax, 0x92a1e0\nret\npush ebp\nmov ebp, esp\npush dword ptr [ebp+0x14]\npush dword ptr [ebp+0x10]\npush dword ptr [ebp+0x0c]\npush dword ptr [ebp+0x08]\ncall 0x00000006",
"start_address_bytes_disasm_hash": "b4ec8d454b20dfdaa22e9dd789d0e3fef62cc87cb01b88adca4cf776d7e34b55",
"start_address_module": "Unbacked"
},
"id": 12612
},
"uptime": 1
}
},
"agent": {
"id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
"type": "endpoint",
"version": "8.7.0"
},
"data_stream": {
"dataset": "endpoint.alerts",
"namespace": "default",
"type": "logs"
},
"ecs": {
"version": "1.11.0"
},
"elastic": {
"agent": {
"id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
}
},
"event": {
"action": "start",
"category": [
"malware",
"intrusion_detection"
],
"code": "shellcode_thread",
"created": "2023-04-21T08:20:56.0268971Z",
"dataset": "endpoint.alerts",
"id": "N274zo+Le+XQr7SX++++++RF",
"kind": "alert",
"module": "endpoint",
"outcome": "success",
"risk_score": 99,
"sequence": 1621,
"severity": 99,
"type": [
"info",
"denied"
]
},
"host": {
"architecture": "x86_64",
"hostname": "WINDOWS-DEV",
"id": "dabadaba-0000-0000-0000-000000000000",
"ip": [
"127.0.0.1"
],
"mac": [
"aa:bb:cc:dd:ee:ff"
],
"name": "WINDOWS-DEV",
"os": {
"Ext": {
"variant": "Windows 10 Pro"
},
"family": "windows",
"full": "Windows 10 Pro 21H2 (10.0.19044.2846)",
"kernel": "21H2 (10.0.19044.2846)",
"name": "Windows",
"platform": "windows",
"type": "windows",
"version": "21H2 (10.0.19044.2846)"
}
},
"message": "Memory Threat Prevention Alert: Shellcode Injection",
"process": {
"Ext": {
"ancestry": [
"YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTEzNzg4LTE2ODIwNjUxMTIuMjY5MjkzNzAw",
"YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTEwMjEyLTE2ODIwNjUxMTIuMjUxMjA3MDAw",
"YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTYyMTItMTY4MTcwODk1MC40MDg2NDk2MDA=",
"YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTMyNDAtMTY4MTI5MzM5Ny4xNjAzODQ3MDA="
],
"architecture": "x86",
"code_signature": [
{
"exists": false
}
],
"dll": [
{
"Ext": {
"code_signature": [
{
"exists": false
}
],
"mapped_address": 9502720,
"mapped_size": 122880
},
"code_signature": {
"exists": false
},
"hash": {
"md5": "b2d4e40a3ab592e7c0e5ed353ab85836",
"sha1": "7a7fbc6d0f4bdc225bfda2710611135aa79d9a6f",
"sha256": "c8fd1c0a2db5706798f0b2c9e64afb37e09465d7198d2ad8e47b5b288f526e64"
},
"name": "test_shellcode_thread.exe",
"path": "C:\\test_shellcode_thread.exe"
},
{
"Ext": {
"code_signature": [
{
"exists": true,
"status": "trusted",
"subject_name": "Microsoft Windows",
"trusted": true
}
],
"mapped_address": 140715743051776,
"mapped_size": 2064384
},
"code_signature": {
"exists": true,
"status": "trusted",
"subject_name": "Microsoft Windows",
"trusted": true
},
"hash": {
"md5": "821267661ab8ad7c9ad1d3d44debab08",
"sha1": "959735a57905cb6037af73cb29a4cf99fb5f95fe",
"sha256": "fdb2689bffabe7d2e300882ca1c3fc2fe24a998ffcbd5f48795c7d95712d1e98"
},
"name": "ntdll.dll",
"path": "C:\\Windows\\SYSTEM32\\ntdll.dll"
},
{
"Ext": {
"code_signature": [
{
"exists": true,
"status": "trusted",
"subject_name": "Microsoft Windows",
"trusted": true
}
],
"mapped_address": 140715731648512,
"mapped_size": 364544
},
"code_signature": {
"exists": true,
"status": "trusted",
"subject_name": "Microsoft Windows",
"trusted": true
},
"hash": {
"md5": "1e7b3d6ac48b07fb48cc0338c2f5681c",
"sha1": "67af32b8b2ed35f54efbd122ed864d79986c331f",
"sha256": "ffacd54cbb38ccdbc25804a2533fa3771f384a0fd8e5469efad4dfaa1ce923b1"
},
"name": "wow64.dll",
"path": "C:\\Windows\\System32\\wow64.dll"
},
{
"Ext": {
"code_signature": [
{
"exists": true,
"status": "trusted",
"subject_name": "Microsoft Windows",
"trusted": true
}
],
"mapped_address": 140715714084864,
"mapped_size": 536576
},
"code_signature": {
"exists": true,
"status": "trusted",
"subject_name": "Microsoft Windows",
"trusted": true
},
"hash": {
"md5": "28a6f8bc61c5a72df6343faaf2b1b056",
"sha1": "13ef8ccac99ef9560acd7061b24fd39da0faf891",
"sha256": "2fac8cc3653c2e9747864417c65ea02745f5653c3608fc115ad756199ab22bc0"
},
"name": "wow64win.dll",
"path": "C:\\Windows\\System32\\wow64win.dll"
},
{
"Ext": {
"code_signature": [
{
"exists": true,
"status": "trusted",
"subject_name": "Microsoft Windows",
"trusted": true
}
],
"mapped_address": 1998585856,
"mapped_size": 40960
},
"code_signature": {
"exists": true,
"status": "trusted",
"subject_name": "Microsoft Windows",
"trusted": true
},
"hash": {
"md5": "5184b7fd218777571abcb3e0319f48c6",
"sha1": "4874200ab74ef5a4a583f1fd70f5ae866d3b8b63",
"sha256": "730ac79cc90b35ea9153eae399313f10fc55b6debed7e93d429fbc9d7de5ef19"
},
"name": "wow64cpu.dll",
"path": "C:\\Windows\\System32\\wow64cpu.dll"
},
{
"Ext": {
"code_signature": [
{
"exists": false
}
],
"mapped_address": 9502720,
"mapped_size": 122880
},
"code_signature": {
"exists": false
},
"hash": {
"md5": "b2d4e40a3ab592e7c0e5ed353ab85836",
"sha1": "7a7fbc6d0f4bdc225bfda2710611135aa79d9a6f",
"sha256": "c8fd1c0a2db5706798f0b2c9e64afb37e09465d7198d2ad8e47b5b288f526e64"
},
"name": "test_shellcode_thread.exe",
"path": "C:\\test_shellcode_thread.exe"
},
{
"Ext": {
"code_signature": [
{
"exists": true,
"status": "trusted",
"subject_name": "Microsoft Windows",
"trusted": true
}
],
"mapped_address": 1998651392,
"mapped_size": 1720320
},
"code_signature": {
"exists": true,
"status": "trusted",
"subject_name": "Microsoft Windows",
"trusted": true
},
"hash": {
"md5": "ba505d57c0fb729d0df912a8c443adb5",
"sha1": "c61f28dd2aa388e19feef2e81d391a76229b8c44",
"sha256": "d43f5ed957292bb8a6a69f1c4fff812976f70852872d85ae9820a762343c5f46"
},
"name": "ntdll.dll",
"path": "C:\\Windows\\SysWOW64\\ntdll.dll"
},
{
"Ext": {
"code_signature": [
{
"exists": true,
"status": "trusted",
"subject_name": "Microsoft Windows",
"trusted": true
}
],
"mapped_address": 1976434688,
"mapped_size": 983040
},
"code_signature": {
"exists": true,
"status": "trusted",
"subject_name": "Microsoft Windows",
"trusted": true
},
"hash": {
"md5": "c5f4b80bd0423a8949db62bfca3ed178",
"sha1": "e86c6b7507939f90d263e0ea05ac3c36845fc3a4",
"sha256": "2ba6ca6f0c5ce8423bd5d10cc6a99af16c7d4ee6a93201f7101d9d82e6452d30"
},
"name": "KERNEL32.DLL",
"path": "C:\\Windows\\SysWOW64\\KERNEL32.DLL"
},
{
"Ext": {
"code_signature": [
{
"exists": true,
"status": "trusted",
"subject_name": "Microsoft Windows",
"trusted": true
}
],
"mapped_address": 1965948928,
"mapped_size": 2240512
},
"code_signature": {
"exists": true,
"status": "trusted",
"subject_name": "Microsoft Windows",
"trusted": true
},
"hash": {
"md5": "b6b506c8a7e32c075a713f61bf832676",
"sha1": "87554d0323c40accc5ade2896535264b341766d9",
"sha256": "1e5fc12aa6644812f07a71df322bf9b7779deb7ce4e01db45f71cb87b2053d25"
},
"name": "KERNELBASE.dll",
"path": "C:\\Windows\\SysWOW64\\KERNELBASE.dll"
}
],
"protection": "",
"token": {
"domain": "WINDOWS-DEV",
"elevation": true,
"elevation_type": "full",
"integrity_level_name": "high",
"sid": "S-1-5-21-808390715-165647297-874774755-1001",
"user": "johnu"
},
"user": "johnu"
},
"args": [
"C:\\test_shellcode_thread.exe"
],
"args_count": 1,
"code_signature": {
"exists": false
},
"command_line": "C:\\test_shellcode_thread.exe",
"entity_id": "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTE5MTE2LTE2ODIwNjUyNTUuOTk4MTAyMjAw",
"executable": "C:\\test_shellcode_thread.exe",
"hash": {
"md5": "b2d4e40a3ab592e7c0e5ed353ab85836",
"sha1": "7a7fbc6d0f4bdc225bfda2710611135aa79d9a6f",
"sha256": "c8fd1c0a2db5706798f0b2c9e64afb37e09465d7198d2ad8e47b5b288f526e64"
},
"name": "test_shellcode_thread.exe",
"parent": {
"Ext": {
"architecture": "x86_64",
"code_signature": [
{
"exists": true,
"status": "trusted",
"subject_name": "Python Software Foundation",
"trusted": true
}
],
"protection": "",
"user": "johnu"
},
"args": [
"C:\\Program Files\\Python39\\python.exe"
],
"args_count": 6,
"code_signature": {
"exists": true,
"status": "trusted",
"subject_name": "Python Software Foundation",
"trusted": true
},
"command_line": "\"C:\\Program Files\\Python39\\python.exe\"",
"entity_id": "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTEzNzg4LTE2ODIwNjUxMTIuMjY5MjkzNzAw",
"executable": "C:\\Program Files\\Python39\\python.exe",
"hash": {
"md5": "3412d601e0fab94e2360f57e62f7cbba",
"sha1": "ddfd60ea7fad94ab091c5baf4b0085ea5ce38e35",
"sha256": "bbb3b40c1eb203be1068e882708f1353c2b41ec166746db01375885cb25ff7c1"
},
"name": "python.exe",
"pid": 13788,
"ppid": 10212,
"start": "2023-04-21T08:18:32.2692937Z",
"uptime": 144
},
"pe": {},
"pid": 19116,
"ppid": 13788,
"start": "2023-04-21T08:20:55.9981022Z",
"thread": {
"Ext": {
"call_stack": [
{
"instruction_pointer": 1999121116,
"memory_section": {
"memory_address": 1998655488,
"memory_size": 1187840,
"protection": "R-X"
},
"module_name": "ntdll.dll",
"module_path": "c:\\windows\\syswow64\\ntdll.dll",
"symbol_info": "c:\\windows\\syswow64\\ntdll.dll!NtWaitForSingleObject+0xc"
},
{
"instruction_pointer": 1967080857,
"memory_section": {
"memory_address": 1967079424,
"memory_size": 860160,
"protection": "R-X"
},
"module_name": "kernelbase.dll",
"module_path": "c:\\windows\\syswow64\\kernelbase.dll",
"symbol_info": "c:\\windows\\syswow64\\kernelbase.dll!WaitForSingleObjectEx+0x99"
},
{
"instruction_pointer": 1967080690,
"memory_section": {
"memory_address": 1965953024,
"memory_size": 1986560,
"protection": "R-X"
},
"module_name": "kernelbase.dll",
"module_path": "c:\\windows\\syswow64\\kernelbase.dll",
"symbol_info": "c:\\windows\\syswow64\\kernelbase.dll!WaitForSingleObject+0x12"
},
{
"instruction_pointer": 9507414,
"memory_section": {
"memory_address": 9506816,
"memory_size": 69632,
"protection": "R-X"
},
"module_name": "test_shellcode_thread.exe",
"module_path": "C:\\test_shellcode_thread.exe",
"symbol_info": "C:\\test_shellcode_thread.exe!0x911256"
},
{
"instruction_pointer": 9508208,
"memory_section": {
"memory_address": 9506816,
"memory_size": 69632,
"protection": "R-X"
},
"module_name": "test_shellcode_thread.exe",
"module_path": "C:\\test_shellcode_thread.exe",
"symbol_info": "C:\\test_shellcode_thread.exe!0x911570"
},
{
"instruction_pointer": 9508718,
"memory_section": {
"memory_address": 9506816,
"memory_size": 69632,
"protection": "R-X"
},
"module_name": "test_shellcode_thread.exe",
"module_path": "C:\\test_shellcode_thread.exe",
"symbol_info": "C:\\test_shellcode_thread.exe!0x91176E"
},
{
"instruction_pointer": 1976565913,
"memory_section": {
"memory_address": 1976500224,
"memory_size": 417792,
"protection": "R-X"
},
"module_name": "kernel32.dll",
"module_path": "c:\\windows\\syswow64\\kernel32.dll",
"symbol_info": "c:\\windows\\syswow64\\kernel32.dll!BaseThreadInitThunk+0x19"
},
{
"instruction_pointer": 1999076206,
"memory_section": {
"memory_address": 1998655488,
"memory_size": 1187840,
"protection": "R-X"
},
"module_name": "ntdll.dll",
"module_path": "c:\\windows\\syswow64\\ntdll.dll",
"symbol_info": "c:\\windows\\syswow64\\ntdll.dll!RtlGetAppContainerNamedObjectPath+0x11e"
},
{
"instruction_pointer": 1999076158,
"memory_section": {
"memory_address": 1998655488,
"memory_size": 1187840,
"protection": "R-X"
},
"module_name": "ntdll.dll",
"module_path": "c:\\windows\\syswow64\\ntdll.dll",
"symbol_info": "c:\\windows\\syswow64\\ntdll.dll!RtlGetAppContainerNamedObjectPath+0xee"
}
],
"call_stack_final_user_module": {
"code_signature": [
{
"exists": false
}
],
"hash": {
"sha256": "c8fd1c0a2db5706798f0b2c9e64afb37e09465d7198d2ad8e47b5b288f526e64"
},
"name": "test_shellcode_thread.exe",
"path": "C:\\test_shellcode_thread.exe"
},
"call_stack_summary": "ntdll.dll, kernelbase.dll, test_shellcode_thread.exe, kernel32.dll, ntdll.dll",
"start_address": 9508836,
"start_address_module": "C:\\test_shellcode_thread.exe"
},
"id": 22716
},
"uptime": 1
},
"rule": {
"ruleset": "production"
},
"user": {
"domain": "WINDOWS-DEV",
"name": "johnu"
}
}
Thanks for that @jdu2600. I did have a look and I can confirm that, unlike what the article suggests, other EDR are also monitoring for this activity. Although it would be a good practise to track all different variations of thread activities, this can get out of hand very quickly. We are planning to include one more level to the current sub-categories. We could change the "Remote Thread Creation" to "Thread Activities" and include all variations. But that is just too much for this stage of the project. We can re-evaluate this then.
Thanks again for submitting the information and contributing to this project, appreciate it!
Noted.
Though perhaps the current category should be updated to Thread Creation
now?
Sysmon would then have an 🟧 and each other vendor could be updated as appropriate?
Thanks for understanding. I re-opened this PR to consider the change for the sub-category name from "Remote Thread Creation" to "Thread Creation".
@jdu2600 - Could you please provide a justification as to why you would like Sysmon to have an "Partially Implemented" mark instead of a "Implemented"? This justification would have to make its way to the official notes for the main table.
@inodee - Any objections here for this change to the sub-category? Makes sense?
The sysmon documentation indicates that its Event ID 8 is Remote Thread Creation only - not Thread Creation more generally.
Good enough for me. For the record, difference explained here:
Thread creation refers to the process of creating a new thread within the same application or process. Remote thread creation, on the other hand, involves creating a new thread within a different process.
@jdu2600, could you please edit your proposed changes by only renaming the Sub-Category field to "Thread Creation" and change only the Sysmon value from "Yes" to "Partially"? Thanks!
Done.
Are we confident that Crowdstrike/LimaCharlie/MDE/S1/WatchGuard all monitor local thread creations?
Thanks. No, we will need to validate, I would not commit just yet. I also would like a second approver for this (@inodee)
@jdu2600 - Can you propose a testing method for this?
The simplest test would be to see if telemetry is generated for a local unbacked thread.
C++ snippet -
const char shellcode[] = { // return(42)
0xb8, 0x2a, 0x00, 0x00, 0x00, // mov eax, 42
0xc3 // ret
};
auto pRWX = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(pRWX, shellcode, sizeof(shellcode));
(void)CreateThread(NULL, 0, pRWX, NULL, 0, NULL);
It seems like we indeed need a dedicated cat for "Thread Activities"! Thanks @jdu2600 for your contribs! Yes, we need to validate/adjust the others.
Description
Thread Creation events (ideally via a
PsSetCreateThreadNotifyRoutine
callback) are a useful telemetry source.References - https://bruteratel.com/release/2022/11/17/Release-Resurgence/ "Several changes were also made to how a local thread was created following some detections from Elastic EDR, as unlike any other EDR, Elastic also monitors local threads."
Type of change