Jump to content
Nytro

Shhmon — Silencing Sysmon via Driver Unload

Recommended Posts

Posted

Shhmon — Silencing Sysmon via Driver Unload

Matt Hand
Sep 18 · 4 min read

Sysmon is an incredibly powerful tool to aide in data collection beyond Windows’ standard event logging capabilities. It presents a significant challenge for us as attackers as it has the ability to detect many indicators that we generate during operations, such as process creation, registry changes, file creation, among many other things.

Sysmon is comprised of 2 main pieces — a system service and a driver. The driver provides the service with information which is processed for consumption by the user. Both the service and the driver’s names can be changed from their defaults to obfuscate the fact that Sysmon is running on the host.

Today I am releasing Shhmon, a C# tool to challenge the assumption that our defensive tools are functioning as intended. This also introduces a situation where the Sysmon driver has been unloaded by a user without fltMC.exe and the service is still running.

https://github.com/matterpreter/Shhmon

1*AEzetGB-p9fdx3b189Su9A.gif?q=20
1*AEzetGB-p9fdx3b189Su9A.gif

Despite being able to rename the Sysmon driver during installation (Sysmon.exe -i -d $DriverName), it is loaded at a predefined altitude of 385201 at installation.

A driver altitude is a unique identifier allocated by Microsoft indicating the driver’s position relative to others in the file systems stack. Think of this as a driver’s assigned parking spot. Each driver has a reserved spot where it is supposed to park. The driver should abide by this allocation.

We can use functions supplied in fltlib.dll (FilterFindFirst() and FilterFindNext()) to hunt for a driver at 385201 & unload it. This is similar to the functionality behind fltMC.exe unload $DriverName , but allows us to evade command line logging which would be captured by Sysmon before the driver is unloaded.

1*XiNhyroQe_IP4spl0fG0FQ.png?q=20
1*XiNhyroQe_IP4spl0fG0FQ.png

In order to unload the driver, the current process token needs to have SeLoadDriverPrivileges enabled, which Shhmon grants to itself using advapi32!AdjustTokenPrivileges.

1*I49PQ7-C729P0W8J2oK1bQ.png?q=20
1*I49PQ7-C729P0W8J2oK1bQ.png

Defensive Guidance

This technique generates interesting events worth investigating and correlating.

Sysmon Event ID 255

Once the driver is unloaded, an error event with an ID of DriverCommunication will be generated. After this error occurs, logs will no longer be collected and parsed by Sysmon.

1*JAQtt0zd1l1moFLFtq93Jg.png?q=20
1*JAQtt0zd1l1moFLFtq93Jg.png

Windows System Event ID 1

This event will also be generated on unload from the source “FilterManager” stating File System Filter <DriverName\> (Version 0.0, <Timestamp>) unloaded successfully. This event was not observed to be generated during a normal system restart.

1*-5XHwg8MaCTQ1mZMGZ_RJw.png?q=20
1*-5XHwg8MaCTQ1mZMGZ_RJw.png

Windows Security Event ID 4672

In order to unload the driver, our Shhmon process needs to be granted SeLoadDriverPrivileges. During testing, this permission was only sporadically granted to NT AUTHORITY\SYSTEM and is not a part of its standard permission set.

1*CzJwniZwULYzXMwf1QZR7A.png?q=20
1*CzJwniZwULYzXMwf1QZR7A.png

Sysmon Event ID 1/Windows Security Event ID 4688

Despite the intent of evading command line logging by using the API, the calling process will still be logged. An abnormal, high integrity process which is assigned SeLoadDriverPrivilege could be correlated with the above events to serve as a starting point for hunting. Bear in mind that this assembly could be used via something like Cobalt Strike’s execute-assembly functionality, where a seemingly innocuous binary would be the calling process.

1*kVe3eLlc6IXXyrjkK4ufKQ.png?q=20
1*kVe3eLlc6IXXyrjkK4ufKQ.png

Going beyond these, I have found that Sysmon’s driver’s altitude can be changed via the registry.

reg add "HKLM\SYSTEM\CurrentControlSet\Services\<DriverName>\Instances\Sysmon Instance" /v Altitude /t REG_SZ /d 31337

When the system is rebooted, the driver will be reloaded at the newly specified altitude.

1*-WxZ_eKC7paTebsCsNaseg.png?q=20
1*-WxZ_eKC7paTebsCsNaseg.png
Sysmon with a non-default driver name running at altitude 31337

The new altitude could be discovered by reading the registry key HKLM:\SYSTEM\CurrentControlSet\Services\*\Instances\Sysmon Instance\Altitude, but this adds an additional layer of obfuscation which will need to be accounted for by an attacker.

Note: I have found during testing that if the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.

Additionally, there may be an opportunity to audit a handle opening on the \\.\FltMgr device object, which is done by fltlib!FilterUnload, by applying a SACL to the device object.

Many thanks Matt Graeber and Brian Reitz for helping me hone in on these.


References:

Written by

I like red teaming, picking up heavy things, and burritos. Adversary Simulation @ SpecterOps. github.com/matterpreter

Sursa: https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650

  • Upvote 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...