Windows fibers, little-known components of Windows OS, represent a largely undocumented code-execution pathway that exists exclusively in user mode — and is therefore largely overlooked by platforme de detectare și răspuns la punctele finale (EDR).. Ca atare, este posibil ca atacatorii să le exploateze pentru a ateriza furtiv pe computere și pentru a implementa încărcături utile rău intenționate.

Aceasta este conform lui Daniel Jary, un cercetător independent de securitate, care a prezentat două noi atacuri cu dovadă de concept (PoC) folosind fibre în o sesiune la Black Hat Asia joi.

Fibrele sunt o alternativă la „firele” standard pe care Windows le folosește pentru a executa codul din sistemul de operare sau dintr-o aplicație, explică el.

„Thread-urile sunt ca lucrătorii, în esență, într-un proces Windows sau într-o aplicație și, în mod tradițional, au fost întotdeauna modul în care ai executa codul și ai face lucrurile”, spune el pentru Dark Reading. „Dar există un mod mai de nișă de a face asta, prin fibre.”

Fibre: o cale de operare Windows uitată și trecută cu vederea

Fibers, when used, exist within threads — they’re essentially smaller, more lightweight versions of the bigger thread concept. Fibrele au fost dezvoltate inițial într-un moment în care procesoarele aveau la dispoziție mai puține nuclee și puteau găzdui doar atât de multe fire. La un nivel înalt, cele mai mici erau o modalitate de a extinde capacitatea, permițând dezvoltatorilor să împartă sarcinile de lucru într-un singur fir și să facă procesele mai eficiente.

“But as computers became more powerful, with more memory to play with, fibers became somewhat redundant in the vast majority of scenarios,” Jary explains. “That’s why a lot of people really haven’t heard about them and they’re a bit obscure, but they do serve a few purposes for some old legacy applications and a way to port programs from other operating systems over to Windows. And some Windows processes themselves actually still use fibers.”

Thus, fibers enjoy the dubious honor of being both a core Windows function and an overlooked one by security teams. To boot, Jary notes that traditional detection mechanisms in EDR platforms and antivirus engines tend to ignore them — making them a perfect stealth avenue to execute malicious code.

“Threads are heavily monitored by EDR agents, which look at syscalls and kernel mode callbacks to capture telemetry and send it to a rules engine to generate detection,” Jary says. “But fibers exist purely in user mode and don’t show up in kernel collection, so their telemetry is not actually getting recorded by EDRs.”

Some open source techniques already exist to take advantage of fibers’ under-the-radar status. A PoC from 2022, for instance, details a method for hiding malicious shellcode inside a fiber, evitând astfel majoritatea motoarelor AV.  

Alții au creat metode pentru mascarea callstack-ului, which enables attackers to hide a malicious execution pathway within a thread — in this case, a fiber — behind a different, dormant fiber that’s benign, also evading detection. The technique takes advantage of the fact that if fibers are in use, there’s always an active fiber, then a dormant fiber that it switches off with. This masking capability that was added into Cobalt Strike’s Artefact Kit in 2022.

Noi frontiere în execuția malițioasă a fibrelor

Jary a pornit să exploreze dacă este posibil să se îmbunătățească tehnicile existente de fibră rău intenționată și a venit cu două noi PoC-uri, numite Phantom Thread și Poison Fiber.

Existing adversarial fiber methods have certain disadvantages for attackers: Some indicators could still be used for EDR detection, and the maliciousness isn’t hidden from inline event-based callstack collection. Any collection of dormant fibers, for which several techniques exist, would remove callstack masking.

Phantom Thread is a next-gen callstack masking approach that removes the ability of memory scans to target fibers by having those fibers masquerade as threads. This involves creating a fiber, then patching it so that it self-identifies as a thread. Then it becomes possible to remove any fiber callstack indicators and essentially hide the fibers from any scanning altogether.

The second PoC, Poison Fiber, enumerates any running Windows processes, looking at threads in use and then whether any of those threads are using fibers. Then “it presents you with an opportunity to inject your payload or your shellcode into a dormant fiber,” Jary explains.

“You can only one run one fiber per thread at any one time, which means you always have another dormant fiber parked somewhere else on the stack,” he says. “When we execute our code using Poison Fiber, this injects our code into a dormant fiber, so we don’t have to suspend the thread in order to inject the shellcode, which is a huge indicator for malicious activity. And because we’ve injected the payload into a dormant fiber, then the application triggers the execution for us, and we don’t initiate the execution ourselves.” The technique has an added benefit of allowing remote code execution (RCE) as well.

Treziți-vă la potențialul adversar al fibrei

While they remain somewhat obscure, fibers should be on security teams’ list of attack vectors, warns Jary, who has not yet released his evolved PoCs or granular details on the methods publicly. He reasons that it’s only a matter of time before others find ways of overcoming drawbacks in existing open source fiber execution methods.  

“Fiber’s alternate execution method is valuable to attackers because it helps us sidestep traditional telemetry sources that we get with threads, in particular kernel callbacks,” he says. “Fibers aren’t a privilege escalation tactic, and they aren’t a user access control (UAC) bypass. But it does allow a payload delivery that gets a lot less spotlight and attention from the security community. Fibers are really simple to implement, but they’re harder to detect. So that makes them perfect for any script kiddie to use to attack businesses.”

Jary sfătuiește implementarea produse EDR mature care pot fi testate continuu împotriva unor tehnici emergente ca acestea.

“Talk to your red teamers about open source fiber methods that are being used in the wild,” he says. “Do some research to see what attackers are having joy with, what’s popular in the wild, then feed that back into your research team and your EDR product developers. That’s going to help build better defenses and probably make your threat hunters’ lives a little bit easier as well.”

• Distribuție de conținut bazat pe SEO și PR. Amplifică-te astăzi.
• PlatoData.Network Vertical Generative Ai. Împuterniciți-vă. Accesați Aici.
• PlatoAiStream. Web3 Intelligence. Cunoștințe amplificate. Accesați Aici.
• PlatoESG. carbon, CleanTech, Energie, Mediu inconjurator, Solar, Managementul deșeurilor. Accesați Aici.
• PlatoHealth. Biotehnologie și Inteligență pentru studii clinice. Accesați Aici.
• Sursa: https://www.darkreading.com/application-security/sneaky-shellcode-windows-fibers-edr-proof-code-execution