Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to investigate "Malicious Behavior Prevention Alert: Potential Evasion with Hardware Breakpoints" #46

Closed
FideliusFalcon opened this issue Oct 8, 2024 · 2 comments
Closed

How to investigate "Malicious Behavior Prevention Alert: Potential Evasion with Hardware Breakpoints" #46

FideliusFalcon opened this issue Oct 8, 2024 · 2 comments
Assignees
@Samirbous
Labels
Artifact: behavior behavior rules question Further information is requested

Comments

@FideliusFalcon
Copy link

Since August 19, we’ve noticed a significant increase in alerts triggered by the "Malicious Behavior Prevention Alert: Potential Evasion with Hardware Breakpoints" rule (a10e7b14-4b7b-4a34-b3f6-64791c1114b3). However, there’s a lack of clear guidance on how to trace the source of the hardware breakpoint or determine whether it’s legitimate or malicious.

The rule doesn’t provide sufficient information on how to:

  • Identify which process or code set the hardware breakpoint.
  • Determine if this behavior is normal or indicative of process injection or other evasion techniques.

Could you provide an investigation guide or recommended steps for analyzing these alerts effectively? More context or next steps within the rule itself would also be helpful.

I hope it's okay, I create a direct Github issue, otherwise just tell me, and I will open an Elastic support ticket

Thank you.
@Samirbous Samirbous self-assigned this Oct 22, 2024
@Samirbous
Copy link

@FideliusFalcon the following steps should help triage alerts for this rule:

  • review global prevalance - how many other agents with the same alert details (same process, command_line, signature etc.), if it's more than 2/3 it's high likely an FP (HW break point is an advanced TTP and will be usually limited to few hosts if they are infected).
  • review if there are any other alerts on the same agent.id for the same period (e.g. shellcode alert, malware alert, behavior alerts), it will be high likely a TP if there are other alerts and especially if they are linked to the same process.
  • if it's limited to say 1 agent, review the process.command_line, process.code_signature, process.hash.sha256, usually signed third party software running from program files and and are not common software (e.g.not chrome, firefox etc.) are high likely to be an FP.
  • if still in doubt check the process.thread.Ext.call_stack details and see if there are any third party DLLs, there some software that load modules with debugging capa like those already excluded FPs.
  • review any unbacked region in the process.thread.Ext.call_stack and copy the bytes (if any) and you can check on VT if they match any known malware/shellcode, below an example of stack from a TP for the same rule :
 "thread": {
      "Ext": {
        "call_stack_summary": "ntdll.dll|wow64.dll|wow64cpu.dll|wow64.dll|ntdll.dll|kernelbase.dll|wininet.dll|urlmon.dll|Unbacked|file.exe",
        "call_stack_contains_unbacked": true,
        "call_stack": [
          {
            "symbol_info": "C:\\Windows\\System32\\ntdll.dll!ZwMapViewOfSection+0x14"
          },
          {
            "symbol_info": "C:\\Windows\\System32\\wow64.dll+0x6c64"
          },
          {
            "symbol_info": "C:\\Windows\\System32\\wow64.dll!Wow64SystemServiceEx+0x153"
          },
          {
            "symbol_info": "C:\\Windows\\System32\\wow64cpu.dll!TurboDispatchJumpAddressEnd+0xb"
          },
          {
            "symbol_info": "C:\\Windows\\System32\\wow64cpu.dll!BTCpuSimulate+0x9"
          },
          {
            "symbol_info": "C:\\Windows\\System32\\wow64.dll!Wow64LdrpInitialize+0x25a"
          },
          {
            "symbol_info": "C:\\Windows\\System32\\wow64.dll!Wow64LdrpInitialize+0x120"
          },
          {
            "symbol_info": "C:\\Windows\\System32\\ntdll.dll!LdrInitShimEngineDynamic+0x31dd"
          },
          {
            "symbol_info": "C:\\Windows\\System32\\ntdll.dll!LdrInitializeThunk+0x1db"
          },
          {
            "symbol_info": "C:\\Windows\\System32\\ntdll.dll!LdrInitializeThunk+0x63"
          },
          {
            "symbol_info": "C:\\Windows\\System32\\ntdll.dll!LdrInitializeThunk+0xe"
          },
          {
            "symbol_info": "C:\\Windows\\SysWOW64\\ntdll.dll!NtMapViewOfSection+0xc"
          },
          {
            "symbol_info": "C:\\Windows\\SysWOW64\\ntdll.dll!RtlMultiByteToUnicodeSize+0x1ae"
          },
          {
            "symbol_info": "C:\\Windows\\SysWOW64\\ntdll.dll!LdrLoadAlternateResourceModuleEx+0x80e"
          },
          {
            "symbol_info": "C:\\Windows\\SysWOW64\\ntdll.dll!EtwRegisterTraceGuidsW+0x57f"
          },
          {
            "symbol_info": "C:\\Windows\\SysWOW64\\ntdll.dll!LdrAddRefDll+0x1f8"
          },
          {
            "symbol_info": "C:\\Windows\\SysWOW64\\ntdll.dll!LdrRscIsTypeExist+0x48f"
          },
          {
            "symbol_info": "C:\\Windows\\SysWOW64\\ntdll.dll!LdrShutdownThread+0x6ec"
          },
          {
            "symbol_info": "C:\\Windows\\SysWOW64\\ntdll.dll!RtlInitUnicodeStringEx+0xce"
          },
          {
            "symbol_info": "C:\\Windows\\SysWOW64\\ntdll.dll!LdrLoadDll+0x93"
          },
          {
            "symbol_info": "C:\\Windows\\SysWOW64\\KernelBase.dll!LoadLibraryExW+0x14f"
          },
          {
            "symbol_info": "C:\\Windows\\SysWOW64\\KernelBase.dll!LoadLibraryExA+0x26"
          },
          {
            "symbol_info": "C:\\Windows\\SysWOW64\\wininet.dll!HttpCloseDependencyHandle+0x541"
          },
          {
            "symbol_info": "C:\\Windows\\SysWOW64\\wininet.dll!AppCacheDuplicateHandle+0xbe9"
          },
          {
            "symbol_info": "C:\\Windows\\SysWOW64\\wininet.dll!InternetSetOptionA+0x10fc"
          },
          {
            "symbol_info": "C:\\Windows\\SysWOW64\\wininet.dll!InternetSetOptionW+0x156"
          },
          {
            "symbol_info": "C:\\Windows\\SysWOW64\\urlmon.dll!CreateFormatEnumerator+0x3e7"
          },
          {
            "symbol_info": "C:\\Windows\\SysWOW64\\urlmon.dll!CreateFormatEnumerator+0x2be"
          },
          {
            "symbol_info": "C:\\Windows\\SysWOW64\\urlmon.dll!IsJITInProgress+0x38ff"
          },
          {
            "symbol_info": "C:\\Windows\\SysWOW64\\urlmon.dll!RegisterBindStatusCallback+0x14569"
          },
          {
            "symbol_info": "C:\\Windows\\SysWOW64\\urlmon.dll!RegisterBindStatusCallback+0x149fa"
          },
          {
            "symbol_info": "C:\\Windows\\SysWOW64\\urlmon.dll!RegisterBindStatusCallback+0x9a8e"
          },
          {
            "symbol_info": "C:\\Windows\\SysWOW64\\urlmon.dll!CoInternetCombineIUri+0x4994"
          },
          {
            "symbol_info": "C:\\Windows\\SysWOW64\\urlmon.dll!RevokeBindStatusCallback+0x13c2"
          },
          {
            "symbol_info": "C:\\Windows\\SysWOW64\\urlmon.dll!RegisterBindStatusCallback+0x1fa9"
          },
          {
            "symbol_info": "C:\\Windows\\SysWOW64\\urlmon.dll!RegisterBindStatusCallback+0x2313"
          },
          {
            "symbol_info": "C:\\Windows\\SysWOW64\\urlmon.dll!URLDownloadToFileW+0x3ed"
          },
          {
            "symbol_info": "C:\\Windows\\SysWOW64\\urlmon.dll!URLDownloadToFileW+0x32c"
          },
          {
            "symbol_info": "C:\\Windows\\SysWOW64\\urlmon.dll!URLDownloadToFileW+0x3d"
          },
          {
            "symbol_info": "C:\\Windows\\SysWOW64\\urlmon.dll!URLDownloadToFileA+0xda"
          },
          {
            "symbol_info": "Unbacked+0x9fd6",
            "callsite_trailing_bytes": "6a0557575668903f011057ff15a8c200106a01585f5ec20c00b874b20010e8e30d000083ec185356578d45dc8965f06a10ff750833db895dec895dfc50e8b00d",
            "callsite_leading_bytes": "da8b00105353e8b200000083c41c8bf86aff57ff1564c1001057ff1588c100106840420f00ffd6ebf7565733ffbeb83f011057575668983f011057e852110000"
          },
          {
            "symbol_info": "C:\\Users\\user\\Desktop\\file.exe+0x15b1",
            "callsite_trailing_bytes": "85c0751355e8b506000083c40433c05f5e5d5b83c444c3c74510010000005f8bc55e5d5b83c444c39090909090909083ec28b045538844241d88442420b06c55",
            "protection": "RWX",
            "callsite_leading_bytes": "8bc383c40c2bc1740a5055e88f03000083c40855e80604000083c40485c0742455e8b90100008b450083c4048b402885c0742b03c385c0740b6a006a0153ffd0",
            "allocation_private_bytes": 495616
          }
        ],
        "hardware_breakpoint_set": true
      }
    }
  },
  "user": {
    "id": "S-1-5-21-2723637291-3094084044-761125207-1000"
  }
}

when copying the bytes from the unbacked region and doing a quick lookup on VT we can confirm it's malicious https://www.virustotal.com/gui/search/content%253A%257B6a0557575668903f011057ff15a8c200106a01585f5ec20c00b874b20010e8e30d000083ec185356578d45dc8965f06a10ff750833db895dec895dfc50e8b00d%257D/files

Hope it helps, if still in doubt and want to share your alert for further triage please ping us on elastic security community slack channel.

@Samirbous Samirbous added question Further information is requested Artifact: behavior behavior rules labels Oct 22, 2024
@FideliusFalcon
Copy link
Author

Hi @Samirbous
Thank you very much for your in-depth answer

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Samirbous Samirbous

Labels
Artifact: behavior behavior rules question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@FideliusFalcon @Samirbous