HackTool.Win64.EDRSandBlast.D

Installation

This Hacking Tool adds the following processes:

• {Grayware File Path}\{Grayware File Name}.exe

Dropping Routine

This Hacking Tool drops the following files:

• {Grayware File Path}\Ntoskrnl.pdb → deleted afterwards
• {Grayware File Path}\fltMgr.pdb → deleted afterwards
• {Grayware File Path}\wdigest.pdb → deleted afterwards
• {Grayware File Path}\WNBIOS.sys → vulnerable driver

Other Details

This Hacking Tool does the following:

• It employs techniques utilized to bypass EDR detections both in user and kernel mode.
• It performs the following actions to bypass EDR detections:
  • Kernel Notify Routines Callbacks Removal → by exploiting an arbitrary kernel memory read/write primitive through exploiting a vulnerable driver
  • Object Callbacks Removal → by disabling the Enabled flag in the OB_CALLBACK_ENTRY structure, unlinking the CallbackList of threads and process, or disabling object callbacks through disabling the SupportsObjectCallbacks bit in the ObjectTypeFlags field
  • Minifilters' Callbacks Unlinking → by scanning structures used by the Windows Filter Manager to detect callback nodes containing monitoring functions and unlink them from their lists, making them temporarily invisible from the filter manager
  • Disable ETW Microsoft-Windows-Threat-Intelligence Provider → by patching in kernel memory during runtime the ETW TI provider
  • Userland Hooking Bypass → by either removing the hooks, using a custom or the existing EDR's trampoline to jump over and execute the rest of the function as is, using a duplicate DLL, or using direct syscall methods
• It detects EDR drivers and processes.
• It bypasses RunAsPPL by elevating its protection level higher than the LSASS process.
• It bypasses Credential Guard by enabling Wdigest to store cleartext credentials in LSASS memory.
• It downloads symbols from the Microsoft Symbol Server for the ntoskrnl.exe, fltmgr.sys, and wdigest.dll. If a corresponding *Offsets.csv file exists, it appends the acquired offsets from the symbols to the file.
• It connects to the following URL(s) to download symbols from the Microsoft Symbol Server:
  • https://{BLOCKED}icrosoft.com/download/symbols/ntkrnlmp.pdb/2E37F962D699492CAAF3F9F4E9770B1D2/ntkrnlmp.pdb
  • https://{BLOCKED}crosoft.com/download/symbols/fltMgr.pdb/BDB830D5AD37A0994727A90DE1D97BA41/fltMgr.pdb
  • https://{BLOCKED}crosoft.com/download/symbols/wdigest.pdb/D0FEB1356A4987BF32419D0533E05AED1/wdigest.pdb
• It checks for the presence of the following files:
  • {Grayware File Path}\NtoskrnlOffsets.csv → contains offsets used to perform Offsets Retrieval
  • {Grayware File Path}\FltmgrOffsets.csv → contains offsets used to perform Offsets Retrieval
  • {Grayware File Path}\WdigestOffsets.csv → contains offsets used to perform Offsets Retrieval
• It conducts offset retrieval to perform kernel monitoring bypass operations.
• It checks for the existence of the following service:
  • Service Name: {8 Random Characters}
• If the service above is not found, it is then created with the following details and started subsequently:
  • Name: {8 Random Characters}
  • Display Name: {8 Random Characters}
  • Type: Driver service
  • Start Type: Auto start
  • Binary Path: {Grayware File Path}\WNBIOS.sys
• It reverses its routines and deletes the installed service when the command "exit" is entered on its console.
• It displays its logs on a console: