Post 66 - Playing in the sand

11 Dec 2024

Task 12, Day 6 Sandboxes If you can’t find a nice malware to use, I’m not going.

Detecting Sandboxes

Often times Windows sandboxes don’t have the C:\Program Files directory. Can check if it’s present by looking in the registry: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir

Example for checking in C language:

void registryCheck() {
    const char *registryPath = "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion";
    const char *valueName = "ProgramFilesDir";

    \\ Prepare the command string for reg.exe
    char command[512];
    snprintf(command, sizeof(command), "reg query \"%s\" /v %s", registryPath, valueName);

    \\ Run the command
    int result = system(command);

    \\ Check for successful execution
    if (result == 0) {
        printf("Registry query executed successfully.\n");
    } else {
        fprintf(stderr, "Failed to execute registy query.\n");
    }
}
int main() {
    const char *flag = "[REDACTED]";
    registryCheck();
        return 0;

}

YARA

Tool that identifies and classifies malware based on patterns in its code. Sample YARA rule for detecting any command that tries to access the registry:

rule SANDBOXDETECTED
{
    meta:
        description = "Detects the sandbox by querying the registry key for Program Path"
        author = "THM"
        date = "2024-10-08"
        version = "1.1"

    strings:

    $cmd= "Software\\Microsoft\\Windows\\CurrentVersion\" /v ProgramFilesDir" nocase



    condition:
        $cmd
}

• Strings defines variables that include the value to look for.
• Condition defines when the rule will match the scanned file. Example is true if any of the above strings are present.

Adding Evasion Techniques

Obfuscation

Consider encoding the command in base64 and running in powershell:

void registryCheck() {
    const char *encodedCommand = "R2V0LUl0ZW1Qcm9wZXJ0eSAtUGF0aCAiSEtMTTpcU29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb24iIC1OYW1lIFByb2dyYW1GaWxlc0Rpcg==";
    
    \\ Prepare the PowerShell execution command
    char command[512];
    snprintf(command, sizeof(command), "powershell -EncodedCommand %s", encodedCommand);

    \\ Run the command
    int result = system(command);

    \\ Check for successful execution
    if (result == 0) {
        printf("Registry query executed successfully.\n");
    } else {
        fprintf(stderr, "Failed to execute registy query.\n");
    }
}

Combatting Obfuscation

Can use tools like Floss to scan malware binaries to extract obfuscated strings. Run in powershell to scan file and write output to file: floss.exe <Path-to-malware\binary.file> |Out-file <path-to-output\file.txt>

Using YARA Rules on Sysmon Logs

Sysmon is from Sysinternals, continuously monitors and logs system activity across reboots. Provides detailed event data on process creation, network connections, and file changes. Set filter to logs with XLM looking for EventRecordID from one of the intial YARA tests. Go to details of event in Event Viewer. Valuable EventData:

• ParentImage parent process that spawned cmd process to check registry.
• ParentProcessId and ProcessId valuable for follow up and searching other logs for related events.
• User helps determine what privileges were applied when running command. May identify a hidden account used to run commands.
• CommandLine details about the command that was run.
• UtcTime Provides solid time frame to keep the timeline straight.

The Task

Retrieve flags from malware via EDR and Floss.

Recommended Stuff

FlareVM: Arsenal of Tools room.