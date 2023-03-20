While the FudModule’s capability to tamper with ETW registration handles does enable it to create and operate within a blind spot for security tooling, this is not the first piece of malware X-Force has encountered that tampers with data streams to avoid detection. To handle these types of detection challenges, X-Force has developed a detection method focused on identification of malicious activity by testing data stream health.

The following section will demonstrate a proof-of-concept ETW data stream monitor like X-Force’s using PowerShell and Symon so organizations can start considering a similar detection capability.

The FudModule’s attack against ETW registration handles may disable ETW monitoring providers, but X-Force was not able to uncover evidence that the malware prevents new ETW registration handles from being created and used. Defenders can leverage this opportunity to register a new ETW session to an existing security-related ETW provider, create test data, and compare the telemetry between the new ETW session and the existing ETW session. Organizations can implement a similar strategy to detect when there is a discrepancy between the telemetry registered in the data source and raise an alarm regarding security-related ETW data stream health when a discrepancy is observed.

When Microsoft deployed PatchGuard in the early 2000s, it limited the ability for security vendors to hook the kernel directly to detect malware executing on a system. Since the introduction of PatchGuard, vendors have leveraged Kernel callback functions to monitor activities on a system. For a comprehensive list of Kernel callback functions here, see the Kernel CallbackFunctions list created by CodeMachine here.

The most common Kernel callback functions leveraged by security vendors are:

PsSetCreateProcessNotifyRoutine

CmRegisterCallbackEx

PsSetCreateThreadNotifyRoutine

ObRegisterCallbacks

PsSetLoadImageNotifyRoutine

For the purposes of this blog, we will be focusing on PsSetCreateProcessNotifyRoutine which is a callback routine to monitor process creation activities performed by APIs like CreateProcess(), CreateProcessAsUser(), CreateProcessWithToken(), and CreateProcessWithLogon().

Security products often leverage PsSetCreateProcessNotifyRoutine as a mechanism to be notified when a user spawns a new process via the CreateProcessW() function in kernel32.dll. With the introduction of kernel-mode drivers for modern security products, they are now able to intercept and inject into resulting process creation events by hooking ntdll.dll to perform inspections of the process activity.

To simulate the resulting blind spots from the FudModule, X-Force will disrupt the data streams enabling Sysmon to monitor process creation events via PsSetCreateProcessNotifyRoutine without stopping the Sysmon ETW Trace Session or removing the ETW Provider.