As this blog goes live, Eoin Carroll will be stepping off the stage at Hack in Paris having detailed the latest McAfee Advanced Threat Research (ATR) findings on Process Reimaging. Admittedly, this technique probably lacks a catchy name, but be under no illusion the technique is significant and is worth paying very close attention to.
Plain and simple, the objective of malicious threat actors is to bypass endpoint security. It is this exact game of cat and mouse that the security industry has been playing with malware writers for years, and one that, quite frankly, will continue. This ongoing battle will shape the future of cyber, and drive innovation in attack techniques and the ways in which we defend against them. As part of this process it is crucial that we, the McAfee ATR team, continually identify techniques that could be used by malicious actors successfully. It is this work that has led to the identification of a technique we call Process Reimaging, which was successful in bypassing endpoint security solutions (ESSs). To be clear, our objective is to stay ahead of malicious actors in identifying evasion techniques, with the broader goal of providing a safer computing environment for all organizations.
This technique is detailed by Eoin in a comprehensive technical blog titled In NTDLL I Trust – Process Reimaging and Endpoint Security Solution Bypass. The following is a summary of the findings.
Process Reimaging targets non-EDR ESSs. It’s a post exploitation technique, meaning it targets users who have already fallen victim, for example to a phishing or a drive-by-download attack, so that the process can execute undetected and dwell on an endpoint for an significant period of time. The Windows kernel exports functionality to support the user mode components of ESSs which they depend on for protection and detection capabilities. There are numerous APIs such as K32GetProcessImageFileName that allows the ESSs “to verify a process attribute to determine whether it contains malicious binaries and whether it can be trusted to call into its infrastructure.” It was this functionality that our research focused on since the APIs return stale and inconsistent FILE_OBJECT paths, this potentially allows a malicious actor to bypass the process attribute verification undertaken by the Windows Operating System. To be more precise, this allowed McAfee ATR to develop a proof-of-concept that was not detected by Windows Defender and will not be detected until a signature is created to block the file on disk before the process itself is created or a full scan is executed.
It is because the ESS relies on the Windows operating system to verify the process attributes that this technique is actually successful. Whereby the ESS will naturally trust a particular process with a non-malicious file on disk since it makes the assumption that the O/S has verified the correct file on disk associated with that process, for the ESS to scan.
Releasing details of the technique
With the public release of security research, there is always a significant risk that any released information can be utilized by adversaries for nefarious activities. The balance of security research versus irresponsible disclosure is an issue we continually wrestle with, and these findings are no different. In the process of conducting due diligence, we were able to identify the use of Process Doppelganging with Process Hollowing as its fallback defense evasion technique within the SynAck ransomware in 2018. Since Process Doppelganging technique was weaponized within SynAck ransomware less than five months after it’s disclosure at Blackhat Europe in 2017, we can only assume that the Process Reimaging technique itself is, or rather will be close to usage by threat actors to bypass detection.