With Elastic Security 8.11, we added further kernel telemetry call stack-based detections to increase efficacy against in-memory threats.

Introduction

Implementation

New Rules

Windows API Call via Direct Syscall

VirtualProtect via Random Indirect Syscall

Image Hollow from Unbacked Memory

AMSI and WLDP Memory Patching

Evasion via Event Tracing for Windows Patching

Windows System Module Remote Hooking

Conclusion

Resources

Rules released with 8.11:

Doubling Down: Detecting In-Memory Threats with Kernel ETW Call Stacks

Using process creation as a case study, this research will outline the evasion-detection arms race to date, describe the weaknesses in some current detection approaches and then follow the quest for a generic approach to LRPC-based evasion.

A Brief History of Child Process Evasion

Detecting LRPC provenance

LRPC event volumes

Correlating RPC server calls with their clients

Correlating RPC server calls and resultant behavior

Introducing ETW’s ActivityId

What would Microsoft do?

Effective Parenting - detecting LRPC-based parent PID spoofing

In this blog, we will demonstrate how to detect each of four classes of process trampolining and release an updated PowerShell detection script – Get-InjectedThreadEx

CreateThread() overview

1 - Bring your own trampoline

2 - Shifting the trampoline mat

3 - If it walks like a trampoline, and it talks like a trampoline...

4 - It's literally already a trampoline

Hunting suspicious thread creations

Wrapping up

Get-InjectedThreadEx – Detecting Thread Creation Trampolines

Author

John Uhlmann

Articles

Doubling Down: Detecting In-Memory Threats with Kernel ETW Call Stacks

Effective Parenting - detecting LRPC-based parent PID spoofing

Get-InjectedThreadEx – Detecting Thread Creation Trampolines