0X02 Detection based on signature／feature code

Hello everyone! The New Year is approaching, and it's time to say goodbye to the old and welcome the new. By chance, I stole half a day of my life, and I thought of the assignment assigned by my master. So I put down the controller, referred to the notes, and reorganized, corrected, and expanded it, about the development history of the technology of feature code countermeasures, and further improved my anti-kill system. If everyone has a fear of learning about anti-kill, I personally recommend watching the book "Hacker Anti-Kill Offense and Defense", although the technology in it may not be so popular, but the thoughts contained in it are really worth pondering slowly. Well, let's not waste any more time and get straight to the point!

0X00 Preface

That is heuristic detection, which is not the focus of this article, so let's briefly introduce it. Our method of identifying unknown files is to analyze the behavior of the file execution process to judge whether it is malware. This means that we not only need to understand the functions called by the file but also know its behavior. For example:

1. When the heuristic virus detection program detects a potential executable file, it may perform reverse engineering on it to check the exact function of the code (to check whether its operation is malicious). It may also try to execute the code in a secure environment to see the result.

2. When the antivirus software detects elements that allow user input, it will try to "deceive the target" by sending unexpected data. Then it analyzes the target's response to see if it is successful.

3. Memory detection refers to the memory detection of antivirus software, which means that when the virus is running, after the virus is loaded into the computer's memory, the antivirus software detects the virus running in the memory and kills the virus in the memory.

Heuristic scanning has some main aspects

0X02 Detection based on signature/feature code

This time, we focus on the history of the countermeasures against signature/feature code detection and how to deal with such detection in offensive and defensive exercises. With the rise of AI security, under the detection of machine learning engines represented by the 360QNM engine, the normal mode of passing through Microsoft signature + modification of feature codes can no longer adapt to the countermeasures in the presence of devices such as def and edr. However, don't be discouraged when dealing with the antivirus software "FireBlade", just this method can save time and energy more effectively.

As everyone knows, static detection requires a large database to support it, these databases are either prepared by anti-virus software manufacturers or obtained from massive public databases. Therefore, for virus types, anti-virus software can match specific byte sequences in suspicious files through static detection; if the byte sequence is found, it is considered that the malicious file has been found. And the production of viruses is almost always mainly based on signatures, and some advanced anti-virus software manufacturers must have behavior-based scanning, but it is usually optional (the specific reason is: such scanning requires more time and resources). Static detection can also determine specific responses from suspicious servers to identify the exact version of the software used by the server. It may be as simple as the actual response version information of the software, or more complex, such as identifying certain typical behaviors.

However, signature-based detection may not be particularly well-known to everyone (I mentioned it in previous mimikatz anti-aversion and LASS); code integrity is a threat protection feature first introduced by Microsoft many years ago. On x64-based Windows versions, kernel mode device drivers must be digitally signed and checked each time they are loaded into memory, also known as Driver Signature Enforcement (DSE). Its function is to detect whether unsigned drivers or system files are being loaded into the kernel, or whether system files have been modified (possibly by malicious software running with administrative privileges), which can improve the security of the operating system. Attackers in order to overcome these limitations, will use valid digital certificates (whether normally issued or stolen and copied), or disable DSE when the target computer is running, in order to achieve the goal of successful attacks.

Supplementary: SCA detection is through the search for certain code elements in source code, intermediate code, or binary code to identify the known components and their exact versions that the software is using or importing.

0X02.1 Signature-based Detection

Signature-based detection is very simple. The most common solution provided by anti-virus software manufacturers is to establish a database with a large number of file hashes that are updated in real-time, where manufacturers only need to compare the hash of any suspicious file on external storage with the known malicious executable software hashes.eg:If the manufacturer's database contains the SHA1/MD5 hash of the .exe file packaged with Mimikatz, it can be used to verify the hash value to determine whether a suspicious file is a malicious file. However, changing the hash value of the mimikatz.exe file is very simple, as it only requires modifying a single byte to achieve the purpose, so this detection is not truly reliable, and manufacturers generally use other methods for cross-validation.

eg: This is where antivirus vendors begin to turn to detecting specific byte pattern signatures as an alternative to file hashes. The following figure is an example of Mimikatz's byte hash, with specific byte pattern/hexadecimal value marked as shown in the following code segment:

730065006B00750072006C00730061005F006D0069006E006900640075006D0070
-->HEX values for s.e.k.u.r.l.s.a._.m.i.n.i.d.u.m.p

In this modification process, not only should each known malicious binary file or sensitive byte be marked, but all should be modified to a normal appearance, which is meaningful. Mimikatz is an unavoidable hurdle for beginners in signature detection because software developers usually have dozens of hash values specifically for detecting Mimikatz binaries. By doing so, antivirus software can ensure that slightly modified versions are detected. Some antivirus vendors even build more advanced detection by using yara rules. These rules can scan file or memory content and allow for more complex conditions and combinations of different patterns.Mimikatz yaraThe rule, as shown in the following code segment:

rule Windows_Hacktool_Mimikatz_1388212a {
meta:
author = "Elastic Security"
id = "1388212a-2146-4565-b93d-4555a110364f"
fingerprint = "dbbdc492c07e3b95d677044751ee4365ec39244e300db9047ac224029dfe6ab7"
creation_date = "2021-04-13"
The last modified date is set to '2021-08-23'
threat_name = "Windows.Hacktool.Mimikatz"
reference_sample = "66b4a0681cae02c302a9b6f1d611ac2df8c519d6024abdb506b4b166b93f636a"
severity = 100
arch_context = "x86"
The scan context is set to 'file, memory'
license = "Elastic License v2"
os = "windows"
strings:
$a1 = " * Password: %s" wide fullword
$a2 = " * Session Key : 0x%08x - %s" wide fullword
$a3 = " * Injecting ticket : " wide fullword
$a4 = " ## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )" wide fullword
$a5 = "Remove mimikatz driver (mimidrv)" wide fullword
$a6 = "mimikatz(commandline) # %s" wide fullword
a7 = " Password: %s" wide fullword
a8 = " - SCardControl(FEATURE_CCID_ESC_COMMAND)" wide fullword
a9 = " * to 0 will take all 'cmd' and 'mimikatz' process" wide fullword
a10 = "** Pass The Ticket **" wide fullword
a11 = "-> Ticket : %s" wide fullword
a12 = "Busylight Lync model (with bootloader)" wide fullword
a13 = "mimikatz.log" wide fullword
a14 = "Log mimikatz input/output to file" wide fullword
a15 = "ERROR kuhl_m_dpapi_masterkey ; kull_m_dpapi_unprotect_domainkey_with_key" wide fullword
a16 = "ERROR kuhl_m_lsadump_dcshadow ; unable to start the server: %08x" wide fullword
a17 = "ERROR kuhl_m_sekurlsa_pth ; GetTokenInformation (0x%08x)" wide fullword
a18 = "ERROR mimikatz_doLocal ; \"%s\" module not found !" wide fullword
a19 = "Install and/or start mimikatz driver (mimidrv)" wide fullword
a20 = "Target: %hhu (0x%02x - %s)" wide fullword
a21 = "mimikatz Ho, hey! I'm a DC :)" wide fullword
a22 = "mimikatz service (mimikatzsvc)" wide fullword
$a23 = "[masterkey] with DPAPI_SYSTEM (machine, then user): " wide fullword
$a24 = "$http://blog.gentilkiwi.com/mimikatz 0" ascii fullword
$a25 = " * Username : %wZ" wide fullword
condition:
3 of ($a*)
{}

rule Windows_Hacktool_Mimikatz_674fd079 {
meta:
author = "Elastic Security"
id = "674fd079-f7fe-4d89-87e7-ac11aa21c9ed"
fingerprint = "b8f71996180e5f03c10e39eb36b2084ecaff78d7af34bd3d0d75225d2cfad765"
The creation date is set to '2021-04-14'
The last modified date is set to '2021-08-23'
description = "Detection for default mimikatz memssp module"
threat_name = "Windows.Hacktool.Mimikatz"
reference_sample = "66b4a0681cae02c302a9b6f1d611ac2df8c519d6024abdb506b4b166b93f636a"
severity = 99
arch_context = "x86"
The scan context is set to 'file, memory'
license = "Elastic License v2"
os = "windows"
strings:
$a1 = { 44 30 00 38 00 }
$a2 = { 48 78 00 3A 00 }
$a3 = { 4C 25 00 30 00 }
$a4 = { 50 38 00 78 00 }
$a5 = { 54 5D 00 20 00 }
$a6 = { 58 25 00 77 00 }
$a7 = { 5C 5A 00 5C 00 }
$a8 = { 60 25 00 77 00 }
$a9 = { 64 5A 00 09 00 }
$a10 = { 6C 5A 00 0A 00 }
$a11 = { 68 25 00 77 00 }
$a12 = { 68 25 00 77 00 }
$a13 = { 6C 5A 00 0A 00 }
$b1 = { 6D 69 6D 69 C7 84 24 8C 00 00 00 6C 73 61 2E C7 84 24 90 00 00 00 6C 6F 67 }
condition:
All of ($a*) or $b1
{}

The rule is set to 'rule Windows_Hacktool_Mimikatz_355d5d3a {'
meta:
author = "Elastic Security"
The ID is set to '355d5d3a-e50e-4614-9a84-0da668c40852'
The fingerprint is set to '9a23845ec9852d2490171af111612dc257a6b21ad7fdfd8bf22d343dc301d135'
The creation date is set to '2021-04-14'
The last modified date is set to '2021-08-23'
The description is set to 'Detection for Invoke-Mimikatz'
threat_name = "Windows.Hacktool.Mimikatz"
The reference sample is set to '945245ca795e0a3575ee4fdc174df9d377a598476c2bf4bf0cdb0cde4286af96'
The severity level is set to 90
arch_context = "x86"
The scan context is set to 'file, memory'
license = "Elastic License v2"
os = "windows"
strings:
$a1 = "$PEBytes32 = \"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwc"
$a2 = "$PEBytes64 = \"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwc"
$b1 = "Write-BytesToMemory -Bytes $Shellcode"
$b2 = "-MemoryAddress $GetCommandLineWAddrTemp"
$b3 = "-MemoryAddress $GetCommandLineAAddrTemp"
The command is set to '$c1 = "Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes64, $PEBytes32, \"Void\", 0, \"\", $ExeArgs)" fullword'
$c2 = "Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes64, $PEBytes32, \"Void\", 0, \"\", $ExeArgs) -ComputerName"
$c3 = "at: http://blog.gentilkiwi.com"
$c4 = "on the local computer to dump certificates."
$c5 = "Throw \"Unable to write shellcode to remote process memory.\"" fullword
$c6 = "-Command \"privilege::debug exit\" -ComputerName \"computer1\""
$c7 = "dump credentials without"
$c8 = "#The shellcode writes the DLL address to memory in the remote process at address $LoadLibraryARetMem, read this memory" fullword
$c9 = "two remote computers to dump credentials."
$c10 = "#If a remote process to inject into is specified, get a handle to it" fullword
condition:
(1 of ($a*) or 2 of ($b*)) or 5 of ($c*)
{}

rule Windows_Hacktool_Mimikatz_71fe23d9 {
meta:
author = "Elastic Security"
id = "71fe23d9-ee1a-47fb-a99f-2be2eb9ccb1a"
fingerprint = "22b1f36e82e604fc3a80bb5abf87aef59957b1ceeb050eea3c9e85fb0b937db1"
creation_date = "2022-04-07"
last_modified = "2022-04-07"
description = "Subject: Benjamin Delpy"
threat_name = "Windows.Hacktool.Mimikatz"
reference_sample = "856687718b208341e7caeea2d96da10f880f9b5a75736796a1158d4c8755f678"
severity = 100
arch_context = "x86"
scan_context = "file"
license = "Elastic License v2"
os = "windows"
strings:
$subject_name = { 06 03 55 04 03 [2] 42 65 6E 6A 61 6D 69 6E 20 44 65 6C 70 79 }
condition:
int16(uint32(0x3C) + 0x5c) == 0x0001 and $subject_name
{}

rule Windows_Hacktool_Mimikatz_b393864f {
meta:
author = "Elastic Security"
id = "b393864f-a9b0-47e7-aea4-0fc5a4a22a82"
fingerprint = "bfd497290db97b7578d59e8d43a28ee736a3d7d23072eb67d28ada85cac08bd3"
creation_date = "2022-04-07"
last_modified = "2022-04-07"
description = "Subject: Open Source Developer, Benjamin Delpy"
threat_name = "Windows.Hacktool.Mimikatz"
reference_sample = "8206ce9c42582ac980ff5d64f8e3e310bc2baa42d1a206dd831c6ab397fbd8fe"
severity = 100
arch_context = "x86"
scan_context = "file"
license = "Elastic License v2"
os = "windows"
strings:
$subject_name = { 06 03 55 04 03 [2] 4F 70 65 6E 53 6F 75 72 63 65 20 44 65 76 65 6C 6F 70 65 72 2C 20 42 65 6E 6A 61 6D 69 6E 20 44 65 6C 70 79 }
condition:
int16(uint32(0x3C) + 0x5c) == 0x0001 and $subject_name
{}

Therefore, in this case, if multiple strings mentioned in the rules are found in the file or memory, this response will be triggered, and operations such as alerts or termination of processes by AV/EDR software can be executed to prevent the malicious software from running.

0X02.1.1 Text Replacement

We can also involve signature detection in searching for static signatures that match known error codes. Examples of signature-based detection include matching file hash values with known malware and matching strings in potential malware. It is well known that many AV suppliers will mark payloads as malware simply because the author's nickname appears in the file, causing a threat. In this article, we will bypass signature-based detection and thus bypass Windows Defender's detection by modifying the Mimikatz source code. However, signature-based detection is very fragile because it depends on matching specific signatures within the scanned objects - usually text strings. Therefore, if we modify our payload so that it no longer finds related signatures, we can avoid signature-based detection. A well-known example is changing Mimikatz to mimidogz.

Now that we know what signature-based detection is, but how do we start to identify which specific signatures cause Windows Defender to identify our payload as malicious? Through text information, it can help accurately identify which bytes in the payload cause Defender to mark it as malicious. I downloaded the Mimikatz source code and compiled it with Microsoft's VScode2020. Before starting to compile, we need to make some modifications to the Mimikatz source code.

1. First, in the Solutions Explorer, right-click mimikatz, and then click Properties.

2. Next, we need to change the default platform toolset options. At the time of writing this article, I set mine to Visual Studio 2020 (v142)

3. Finally, repeat this process for the mimilib solution.

I don't need to spend time deeply studying why we need to do this, just know that we need to modify some sensitive text information to prevent detection by anti-virus software. I can name it arbitrarily and build it. After compiling the source code, I use Defender to check if the binary file is detected as malicious. It's no surprise that whenHackTool:Win64/Mikatz!dha.DefenderCheckWhen returning the hexdump of the bytes that cause Defender to issue an alert to the payload, it unfortunately gets detected. In the following example figure (the picture is provided by redsiegel master), we can see that the detection occurs in the error message string contained in the binary file.

I have a reasonable guess that the sensitive text exists in the mimikatz string, causing it to be detected, so I executed a search and replace, replacing all Mimikatz with mimidogz and recompiling the binary file, and the problem of this type no longer appeared after the scan!

0X02.1.2 DLL Name

Next, I ran the new binary file through Defender and found a new problem. This time, the violation signature seems to be wdigest.dll as shown in the figure below (the picture is provided by redsiegel master):

I have a reasonable guess that the sensitive file name exists in the DLL, so I executed the replacement of the sensitive DLL file name, and the problem of this type no longer appeared after the scan!

0X02.1.3 Function Name

As is well known, attackers need to modify a large number of function names to make binary files bypass the latest version of Defender for attack. This includes the following sensitive strings that need to be modified.eg:kull, kuhl, kiwi, sekurlsa, logonpasswords, credman.There are also other commonly used function names in anti-av:I_NetServerAuthenticate2,I_NetServerReqChallengeandI_NetServerTrustPasswordsGetetc.netapi32.dllAll the libraries are contained in the Mimikatz/lib directory. We can refer to some videos on the Internet to bypass these function names. First, I need to create a .def file to build a new library module that will be included in the Mimikatz build process. The content of this file is as follows. This is what is happening: a library (DLL) may export one or more functions that can be used by other programs. These functions are usually called by name. At the same time, functions can also be referred to by name to represent functions.

I_NetServerAuthenticate2

I_NetServerReqChallenge

I_NetServerTrustPasswordsGet

We need to use the VScode console to controllib /DEF:netapi32.def /OUT:netapi32.min.libCommand to compile this file into a module. Then place the file inlibx64 directoryAnd replace the initial file. After reconstruction, Mimikatz no longer contains the netapi32.dll. This makes the final check by Defender show that the file is no longer detected as a malicious file.

0X02.2 Feature code-based detection

Feature code detection and killing is also very illustrative. For example, we are familiar with Mimikatz capturing hashes, the tool logo left by the author, and the information left by dropping comments and the feature values left by GO language packaging are crucial to us. For example, by analyzing the characters /xfc/x48 at the beginning of the shellcode, we can infer that this is a separated anti-kill shellcode. Similarly, we can also determine that the malicious file is a "XX family" or "XXAPT organization" by the "string". To better avoid detection, we need to pay attention to these "anti-detection points" and improve our own anti-detection framework, train our thinking, and form a system.

Manual feature positioning

CCL--->Sequential filling method

Myccl--->Sequential exposure method

MultiCCL--->Mixed positioning, two-step gradual search method

Automated feature positioning(eg: VirTest....)

eg: code-data-import-export-resource file...

As everyone knows, Huoyan (static detection) is for strings. At this time, we can break through the deadlock with Myccl, and everyone can refer to Master Yu Yu's article:https://cloud.tencent.com/developer/article/2011190(The detailed steps are: first divide, then generate, then detect antivirus software, secondly process antivirus software, and finally view the feature interval)

As for the automated tool VirTest (download link:http://www.uzzf.com/soft/25659.htmlIt is equivalent to an automatically running Myccl. The specific principle is that we can assume the virus detection process, if the detected file is PE, and there is a marker A at the CODE position, a marker B at the DATA position, and a marker C at the resource position, and all three conditions are met, then the antivirus software will report a virus. The working principle of VIRTEST is to find the last marker that causes the virus detection, that is, the assumed marker C. Therefore, VIRTEST adopts a two-step exclusion method, testing the position of the marker C in the file where it is located. Since the killed file may have multiple连锁 conditions similar to ABC, we must first find the连锁 condition closest to the front of the file, excluding the file tail data. After finding the first连锁 condition, we erase the marker C, then restore the tail data, and then continue to test the other连锁 conditions until the last连锁 condition is found, erased, and the entire file is unblocked, indicating that the feature code has been completely identified. Therefore, VIRTEST can accurately locate all composite features. This is much more advanced than the file block positioning method and more scientific.

Ends with 0X03

All along, I thought that the longer the code of the loader was, and the more obscure the language was, the better the anti-aversion effect would be, but that's not the case. It was only after listening to Teacher Ghost House's explanation that I realized that this loader is still very capable, so I hope everyone doesn't take a detour.

#include <Windows.h>
#include <Stdio.h>

unsigned char buff[] = "shellcode"
int main()
{
((void(*)(void)) &buf)();
{}

Lately, I've been rather lazy, and it's inevitable to drag on. During this period, I was preparing for the CISP exam and learning about anti-aversion, and I've learned a lot, one of which is feature code对抗anti-aversion. This article is especially for several methods and some popular science. I've consulted many blogs and combined my own practice, and I've gained a lot. If there are any deficiencies, I hope everyone can point them out in the comments section. See you next time!!

Reference links:

https://blackducksoftware.github.io/synopsys-detect/6.0.0/properties/Configuration/signature%20scanner/

https://github.com/Yara-Rules/rules

https://github.com/gentilkiwi/mimikatz

https://cloud.tencent.com/developer/article/2011190

https://www.fortinet.com/blog/threat-research/driver-signature-enforcement-tampering