CodeX's Terminal Window
  • root@codex
  • 🐙Red Team
    • Red Team OPSEC
      • Initial Recon
      • Weaponization
      • Infrastructure
        • Example Red Team Infra
        • Cobalt Strike Redirectors
        • Using SSH Tunneling to secure C2 infra
      • Phishing
      • Internal Recon
      • Lateral Movement
      • Post-Exploitation
      • Exfiltration
      • Cleanup
    • Red Team TTPs
      • Active Directory
      • Persistence
      • Exfiltration
      • Phishing
      • Windows Bypasses
    • Red Team Dev
      • Extending Havoc C2
        • Third Party Agents
          • 1: Understanding the interface
          • 2: Writing the agent
          • 3: Writing the agent handler
          • 4: Testing the agent
      • Loader Dev
        • In Memory OPSEC
          • PE Structures
          • Memory Permissions and Allocation Types
          • In Memory Signatures
          • Thread Stack
          • Windows Events
          • Userland Hooks
          • AMSI & ETW
        • Evasion Adventures
        • Loader basics
        • Sleep masking
        • Mimikatz vs Windows Defender
        • Indirect syscalls
    • Cobalt Strike
      • Modifying the Sleep Mask Kit
      • Discord Beacon Notifications
      • Evading Hunt-Sleeping-Beacons
      • Beacon Object Files
    • Misc. Interesting Stuff
  • 🛡️Blue Team
    • Detecting Cobalt Strike
      • Sleep Mask Kit IOCs
      • Hunting Beacon in the heap
      • Decrypting C2 traffic with known key
  • 🚩CTF Solutions
    • Cyber Defenders Discovery Camp 2021
      • 👁️‍🗨️Lets Go Hunting
      • 🐧Linux Rules The World!
      • 📻Going active
      • 🗄️File it away
      • 😷Behind the mask
  • Box challenges
    • 📦Box Writeups
  • Me myself and I
    • root@codex #
Powered by GitBook
On this page
  • Detecting Direct Syscalls
  • Evading these detections
  • Related blogposts
  1. Red Team
  2. Red Team Dev
  3. Loader Dev

Indirect syscalls

Referenced from: https://www.cobaltstrike.com/blog/writing-beacon-object-files-flexible-stealthy-and-compatible/

PreviousMimikatz vs Windows DefenderNextCobalt Strike

Last updated 2 years ago

WORK IN PROGRESS

Detecting Direct Syscalls

Currently, the techniques of detecting syscalls are as follows:

  • Search the binary or memory for the syscall, ret; instructions

    • Find code used to perform direct syscalls

  • Monitor for syscall instructions not originating from the memory range of NTDLL

    • Detect the use of direct syscalls

Evading these detections

To evade these detections, we need to avoid 2 things:

  • Containing the syscall, ret; instructions

  • Calling them from outside the memory space of NTDLL

There is a way to perform our syscalls while "playing by" these detection rules, without the need to spoof or hide anything.

We can call the syscall, ret; combination from NTDLL itself!

  • Locate an unhooked syscall, ret; in NTDLL memory range

  • Jump to it

No source code will be provided for this technique, but if/when I do produce a working PoC I will do a short demo on this page. (maybe video comparison with traditional syscalls?)

Related blogposts

<-- this blogpost is good if you want to understand syscall techniques in more depth

🐙
https://klezvirus.github.io/RedTeaming/AV_Evasion/NoSysWhisper/