Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question #1

Open
hanscees opened this issue Apr 19, 2023 · 4 comments
Open

Question #1

hanscees opened this issue Apr 19, 2023 · 4 comments

Comments

@hanscees
Copy link

Hi,
Do you need to have admin rights to use these direct system calls?

Just wondering
@VirtualAlllocEx
Copy link
Owner

No, the concept of direct system calls does not require administrator privileges or high integrity. Regardless of whether you are performing a task in user mode in the context of a privileged or unprivileged user, system calls are a key concept needed to make the (temporary) transition from user mode to kernel mode. For example, even in the simple case of wanting to save a file named notepad.txt to disk in the context of an unprivileged user (medium integrity), the concept of system calls is needed to give the process notepad.exe temporary access to the file system and device drivers in the kernel to complete the task.

You can see a detailed explaination on the related blog post:
https://redops.at/blog/direct-syscalls-a-journey-from-high-to-low

@hanscees
Copy link
Author

Thank you for answering the question. I had red the blog post, seeing it mentioned on mastodon. I could Imagen windows would somehow block the usage of low-level syscalls without using higher level api's.
But your answer means it doesn't.
We are using edr to fight of malware, and you show this can be evaded. Therefore my question if this method is dependent on higher level rights somehow.
Thanks for explaining! 👍

@VirtualAlllocEx
Copy link
Owner

Direct system calls are a nice technique to use when trying to avoid detection by EDRs, but it is definitely not a silver bullet. I play regularly with many different well-known EDRs and it depends very much on the EDR itself if you are successful with direct system calls to evade the EDR. As this is not a new technique, EDRs for example started to make detections based on checking from which section or location the syscall was executed. As a result, depending on the capabilities of your EDR, it may be able to detect the execution of direct syscalls because the syscall was executed from the .text section of the malware poc rather than from ntdll.dll, which would be the legitimate way. But as already mentioned, this dependes strong on the EDR itself and also on the capabilities from the shellcode which is used in the direct sysall poc.

@hanscees
Copy link
Author

I have another question that's much broader, but since you have experience evading edr. We have a good edr on servers and endpoints and also limit admin access with mfa and more.
The edr will pick up many attacks staged for instance by spearfishing or just a random attack via a website.
We are looking into also using wda/applocker against lolbin attacks.
In your experience, does using wda add much to the security against ransomeware gangs?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hanscees @VirtualAlllocEx