Apr 7, 2022
Arsenal: Bypass EDR’s/XDR’s and make malware analysis harder
(Direct Syscalls, Sandbox Bypass, API Hashing, AES Encryption)
Introduction
In this blog, I am going to explain multiple techniques to bypass AV/EDR/XDR security solutions. As a red teamer and security guy, I always try to explore new methods and approaches to bypass security controls. My work is related to offensive security, “Offense is the best defense”. This blog is definitely going to help red team as well as blue team.
Today I am going to make defense evasion arsenal which is using direct syscalls, sandboxes bypass techniques, Strong encryption and random procedure names to bypass AV/EDR’s. I will also explain the method to bypass well-know tool Dumpert. Dumpert used direct syscalls to bypass security controls such as AV/EDR’s user-land hooking and create memory dumps. Because Dumpert is well-know and open-source tool most of the AV/EDR’s updated the signature. In my homework, when I compiled Dumpert after touching the disk Microsoft Defender caught it. So instead of changing signature of Dumpert, I decided a way to bypass it statically as well as dynamically. Before explaining the techniques, Let’s talk about Widows API and Native API’s. I am not going to explain it very deeply because I have already explained this in my previous blog post.
Applications in Windows run in user-mode and to perform function they call Windows API’s. Native API’s located in (ntdll.dll) are the last instance which can be monitored by AV/EDR’s security solutions. Let’s take a example of Simple malware which is doing process injection using Windows API calls such as VirtualAllocEx, WriteProcessMemory, CreateRemoteThread. These API’s further interact with alternative API calls which is located in ntdll.dll. Functions located in ntdll.dll are set of assembly instructions to call the system level calls in kernel. Most of the AV/EDR’s hooked on Native API’s and redirect the flow of program whenever a application calls these function in order to see the malicious behavior of program. When new process spawned EDR’s load their DLL’s in process memory to inspect the behavior of program.
Defense Evasion Arsenal
Direct syscalls is always hot topic for red teamers. In my arsenal, I used direct syscalls to bypass user-land hooking of AV/EDR. I also used some techniques which will make malware analysis harder. When we open binary with IDA-pro or binary parser statically and using string search we can tell this binary is doing such task. To make static analysis hard, I used different techniques.
PART 1
I divided my work into two parts. First part will explain the syscalls with native API functions name and second time I used random names in my implant in order to make static analysis hard. Let’s discuss our preparation for defence evasion arsenal.
Firstly, I created ASM/H pairs using SysWhispers2. SysWhispers2 use random functions name every time and resolve syscalls dynamically. In this picture, You can see created assembly file of syswhisper2. Function hash is used by global variable and resolving syscalls accordingly. The name of procedures is same as Native API calls. Although this approach bypass AV/EDR user-land hooking but I realize that If I use these names in my implant Windows defender or other security controls can catch my binary in static or heuristic analysis.
You can see this resolve the function hash into syscalls and make the call.
I wrote a code into C++ which is using direct syscalls. In my part 1, I used same name in my code and perform static analysis using IDA-PRO.
After analysis my implant statically in IDA-PRO, I can clearly see the native calls which indicates the behavior of my binary. Malware analysts can easily understand that this binary is doing injection in process. Because these combination is used by malware developers in order to perform process injection.
Although, I am using direct syscalls and this technique bypasses most of the AV/EDR’s still I want to make my implant more stealthy and harder to analyze. I used AES encryption in order to bypass static analysis, I am using well-know tool msfvenom to create shellcodes which are highly detected by AV/EDR’s. So I encrypted my shellcode using AES encryption.
Apart form encryption, I also used three sandboxes bypass techniques one is checking size of ram others are checking processing speed and core processors. You can change number of cores and size of ram accordingly, I am using 8gb ram condition in my code. If size of ram is less than 4 program will exit here.
PART 2
As I mentioned above in part 2 I am using random procedures and functions name in order to make it more stealthy. This time, I changed the procedures names and also changes the prototype names. Native API’s are undocumented but you can easily find prototypes for them.
You can see this time I used random functions names in my implant. I am doing this thing to make static analysis harder for malware analyst and also in future AV/EDR’s can catch my binary on these functions names and signatures.
I tested these techniques on windows 11 against Microsoft Defender, MacAfee and Kaspersky but no one were able to detect my implant. I was able to bypass static and dynamic analysis of these security controls.
I injected my payload into explorer.exe. You can see my payload in memory address in explorer.exe which is RWX.
I also checked my binary on antiscan.me to check the detection rate of these techniques. But my binary was fully undetectable.
By using direct syscalls, sandboxes bypassing techniques, strong encryption and random procedures names I was able to bypass EDR/XDR detection. Now In my last part, I also want to explain the method which can be used to bypass Dumpert tool created by outflank.
BYPASS DUMPERT TOOL (OUTFLANK)
Outflank created a very amazing tool which used direct syscalls to create memory dumps but due to open-source almost every AV/EDR’s updated the signature of Dumpert. Instead changing the signature, I used another easy way to bypass it. This technique really work and you will see the amazing results.
Firstly, I created independent shellcode of Dumpert into raw form using tool Donut created by @TheWover. You just need simple command in order to convert Dumpert.exe into raw shellcode.
So in order to bypass static analysis of Dumpert I am doing in-memory execution. Dumpert itself is using direct syscalls to create memory dumps but I also created my Injector which will load Dumpert shellcode into remote process. This loader is using the same techniques which I have already mentioned above.
This techniques is also bypass AV/EDR’s because I used direct syscalls in my injector to bypass user-mode hooking of AV/EDR’s.
CONCLUSION
Direct syscalls is mostly used by red teamers and attacker to bypass user-land hooking of security controls. But in this blog, I also explained the other techniques which can be used to make implant more stealthy and undetected. I also explained the method to bypass well-known tool Dumpert. In my upcoming blogs, I would love to add more stealthy techniques to make it more stealthy.
Author:
Usman Sikander
Cyber Security Engineer
References:
