As defenders, we need to learn about attackers and the techniques they use to compromise endpoints. We are put into a position of constantly learning and adapting to attackers. The good news is applying our knowledge is getting easier.
In this blog, I will demonstrate how to apply knowledge gained by reverse engineering and put it to use with Carbon Black. Specifically, I’ll detect an advanced technique used by attackers to elevate privileges on an endpoint.
The typical lifecycle of an attacker on an endpoint can be broken down into the following stages:
- Remote execution on an endpoint
- Survey the endpoint
- Privilege escalate to “SYSTEM” or “Administrator”
- Persist through reboot with new privileges
- Exfil targeted data
Today, we will be focusing on the detection of privilege escalation to “SYSTEM” or “Administrator.”
Generally, an attacker will try to elevate privileges to write to system files in order to survive reboots or load kernel drivers. There is a common technique used by most – a module load of ntoskrnl.exe or ntkrnlpa.exe.
Attackers use this technique because of the helpful nature of the LoadLibrary Windows Native API function. This function maps a DLL inside of your process but, more importantly, handles relocations. This gives the attacker a view of the kernel inside of their process space to calculate offsets and find where exported functions are located.
Given the attacker knows the base address of the real ntoskrnl.exe, they can use their copy of the kernel to find everything they need to successfully exploit the running kernel.
Carbon Black monitors all modules loads, thus we can detect attempts of mapping the kernel using LoadLibrary.
The above picture shows this piece of malware using kernel exploitation for privilege escalation. Note the usage of LoadLibrary to load ntoskrnl.exe or ntkrnlpa.exe. The exploit uses this technique to find the address of the HalDispatchTable. It then overwrites the HalDispatchTable with user controlled data to gain execution. The type of the exploit doesn’t matter, what we care about is the technique. This technique is still being used.
Now, let’s create a watchlist to find this behavior.
First, enter “modload:ntoskrnl.exe or modload:ntkrnlpa.exe” into the search box and click “Add Watchlist.”
Now that the watchlist is in place, I’ll run the malicious exploit to show what it would look like to Carbon Black.
We have successfully detected the binary!
From here, we can download the binary and perform binary detonation to verify there was malicious intent. I looked for this behavior on our test server and found very few instances of this prior to creating this watchlist. This is an indication of a good watchlist for us since false positives take up valuable time.
There are very few legitimate cases where a process would need to load ntoskrnl.exe or ntkrnlpa.exe into its process.
Let’s review what we have accomplished:
- Analyzed a binary for detectable techniques
- Created a watchlist to alert us on this technique
- Verified the watchlist works
I hope many people use the ideas in this blog to advance their threat hunting and create new detection techniques. This is only a single example where knowing techniques used by attackers can help with threat hunting. I hope we can start a discussion for more.