API unhooking via Perun's Fart

Create a new process in a suspended state and overwrite the `ntdll.dll` from the current process to unhook it. After `ntdll` is unhooked, the shellcode is executed to spawn `calc.exe`.
This week, we are releasing 2 TTPs:
  • API unhooking via Perun's Fart
  • Process injection via Thread Hijacking

Last week we released 2 TTPs that used different techniques for process injection.

API unhooking via Perun's Fart

Perun's Fart? Fart in Swedish means speed and has nothing to do with another meaning that might immediately come to mind for most. The Perun's Fart unhooking technique spawns a new process in a suspended state and copies clean ntdll into the process to run without an EDR intervening. This technique is about the race condition between a newly spawned process and a security product, such as an EDR, latching its hooks to intercept API calls of the process to determine if the process is malicious or benign.

Testing

Execute the API unhooking via Perun's Fart TTP in Operator on each host in your environment.

This TTP will launch a notepad process in a suspended state using CreateProcessA and the dwCreationFlags parameter set as CREATE_SUSPENDED. The base address for ntdll.dll is obtained by inspecting the Process Environment Block (PEB) of the suspended process. VirtualAlloc is used to allocate memory for the clean copy of ntdll.dll. The Export Directory is obtained for both versions of ntdll.dll using GetImageExportDirectory. Syscall stubs are extracted from NT functions from the clean ntdll.dll (suspended notepad.exe process) and are copied to the currently running process. Now that ntdll is unhooked, the suspended notepad process is terminated, and shellcode is executed in the current process to launch calc.exe. Microsoft Defender, or any AV/EDR, may trigger immediately once this payload touches the disk.

Remediation

This technique is hard to catch but logging process creation in a suspended state may give some visibility into when this occurs. Some EDRs may actively scan processes for artifacts related to unhooking techniques or for other malicious indicators.

Process injection via Thread Hijacking

Thread Hijacking is another technique used in process injection. The main difference in this technique is that a suspended thread instruction pointer is updated to the location of the shellcode, which causes the thread to execute the shellcode when it is resumed.

Testing

Execute the Process injection via Thread Hijacking TTP in Operator on each host in your environment.

This TTP will begin by starting notepad.exe and allocating memory inside this newly created process. The TTP will then copy the shellcode into this allocated memory. Next, the TTP suspends a thread in the running process and creates a modified thread context which updates the instruction pointer address to the shellcode location. The TTP then assigns this modified context to the thread's current context. Finally, the TTP will resume the thread, resulting in the shellcode being executed.

Remediation

Like all process injection techniques, identifying the difference between a legitimate and malicious process injection will depend on the injecting process, the order of these injection events, and the injected process. These three things should provide insight into the type of process injection and whether or not it was malicious. Some EDRs may actively scan processes for artifacts related to unhooking techniques or for other malicious indicators.

Check out Process injection via Thread Hijacking.

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current

See the latest kill chain and TTP Releases: https://chains.prelude.org

See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu

Reddit: https://www.reddit.com/r/preludeorg/

Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg

Read our blog: https://feed.prelude.org

Watch our live streams: https://www.twitch.tv/preludeorg

Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: https://twitter.com/privateducky

Alex: https://twitter.com/khyberspache

Octavia: https://twitter.com/VVX7

Bart: https://twitter.com/bartimusprimed

Waseem: https://twitter.com/gerbsec

Sam: https://twitter.com/heavenraiza

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.0)
Learn about Operator

TTPs

API unhooking via Perun's Fart