Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Thread Creation category #10

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Thread Creation category #10

wants to merge 2 commits into from

Conversation

jdu2600
Copy link
Contributor

@jdu2600 jdu2600 commented Apr 20, 2023
edited
Loading

Description

Thread Creation events (ideally via a PsSetCreateThreadNotifyRoutine callback) are a useful telemetry source.

References -
https://bruteratel.com/release/2022/11/17/Release-Resurgence/
"Several changes were also made to how a local thread was created following some detections from Elastic EDR, as unlike any other EDR, Elastic also monitors local threads."

Type of change

  • New feature (adding additional EDR product or proposing new event categories/sub-categories)

@jdu2600 jdu2600 changed the title Thread creation Thread Creation category Apr 20, 2023
@tsale tsale added enhancement New feature or request under review Evaluating proposal labels Apr 20, 2023
@tsale tsale self-requested a review April 20, 2023 23:48
@tsale
Copy link
Owner

tsale commented Apr 20, 2023

Thanks @jdu2600, could you please provide some examples from the Elastic EDR events?

@tsale tsale added waiting for info Further information is requested and removed under review Evaluating proposal labels Apr 20, 2023
@jdu2600
Copy link
Contributor Author

jdu2600 commented Apr 21, 2023
edited
Loading

CreateThread = event.code: shellcode_thread and Memory_protection.self_injection:true
StartAddress = Target.process.thread.Ext.start_address
Parameter = Target.process.thread.Ext.parameter
ThreadId = Target.process.thread.id

Here's a sample event -

{
    "@timestamp": "2023-04-21T08:20:56.0268971Z",
    "Memory_protection": {
        "cross_session": false,
        "feature": "shellcode_thread",
        "parent_to_child": false,
        "self_injection": true,
        "unique_key_v1": "7651b354339974912df0bd3ed916113ca5af76c1005178da137202f1dee79bdf"
    },
    "Target": {
        "process": {
            "Ext": {
                "memory_region": {
                    "allocation_base": 12517376,
                    "allocation_protection": "RW-",
                    "allocation_size": 4194304,
                    "allocation_type": "PRIVATE",
                    "bytes_address": 12517376,
                    "bytes_allocation_offset": 0,
                    "memory_pe_detected": false,
                    "region_base": 15663104,
                    "region_protection": "R-X",
                    "region_size": 1048576,
                    "region_state": "COMMIT",
                    "strings": [
                        "This is a wchar string.",
                        "This is a char string."
                    ]
                },
                "protection": "",
                "token": {
                    "domain": "WINDOWS-DEV",
                    "elevation": true,
                    "elevation_type": "full",
                    "integrity_level_name": "high",
                    "sid": "S-1-5-21-808390715-165647297-874774755-1001",
                    "user": "johnu"
                },
                "user": "johnu"
            },
            "thread": {
                "Ext": {
                    "call_stack": [
                        {
                            "instruction_pointer": 1999130752,
                            "memory_section": {
                                "memory_address": 1998655488,
                                "memory_size": 1187840,
                                "protection": "R-X"
                            },
                            "module_name": "ntdll.dll",
                            "module_path": "c:\\windows\\syswow64\\ntdll.dll",
                            "symbol_info": "c:\\windows\\syswow64\\ntdll.dll!RtlUserThreadStart+0x0"
                        }
                    ],
                    "call_stack_summary": "ntdll.dll",
                    "parameter": 9605120,
                    "start_address": 15663104,
                    "start_address_allocation_offset": 3145728,
                    "start_address_bytes": "6a2a58c20400b8e0a19200c3558becff7514ff7510ff750cff7508e8e6ffffff",
                    "start_address_bytes_disasm": "push 0x2a\npop eax\nret 0x04\nmov eax, 0x92a1e0\nret\npush ebp\nmov ebp, esp\npush dword ptr [ebp+0x14]\npush dword ptr [ebp+0x10]\npush dword ptr [ebp+0x0c]\npush dword ptr [ebp+0x08]\ncall 0x00000006",
                    "start_address_bytes_disasm_hash": "b4ec8d454b20dfdaa22e9dd789d0e3fef62cc87cb01b88adca4cf776d7e34b55",
                    "start_address_module": "Unbacked"
                },
                "id": 12612
            },
            "uptime": 1
        }
    },
    "agent": {
        "id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
        "type": "endpoint",
        "version": "8.7.0"
    },
    "data_stream": {
        "dataset": "endpoint.alerts",
        "namespace": "default",
        "type": "logs"
    },
    "ecs": {
        "version": "1.11.0"
    },
    "elastic": {
        "agent": {
            "id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
        }
    },
    "event": {
        "action": "start",
        "category": [
            "malware",
            "intrusion_detection"
        ],
        "code": "shellcode_thread",
        "created": "2023-04-21T08:20:56.0268971Z",
        "dataset": "endpoint.alerts",
        "id": "N274zo+Le+XQr7SX++++++RF",
        "kind": "alert",
        "module": "endpoint",
        "outcome": "success",
        "risk_score": 99,
        "sequence": 1621,
        "severity": 99,
        "type": [
            "info",
            "denied"
        ]
    },
    "host": {
        "architecture": "x86_64",
        "hostname": "WINDOWS-DEV",
        "id": "dabadaba-0000-0000-0000-000000000000",
        "ip": [
            "127.0.0.1"
        ],
        "mac": [
            "aa:bb:cc:dd:ee:ff"
        ],
        "name": "WINDOWS-DEV",
        "os": {
            "Ext": {
                "variant": "Windows 10 Pro"
            },
            "family": "windows",
            "full": "Windows 10 Pro 21H2 (10.0.19044.2846)",
            "kernel": "21H2 (10.0.19044.2846)",
            "name": "Windows",
            "platform": "windows",
            "type": "windows",
            "version": "21H2 (10.0.19044.2846)"
        }
    },
    "message": "Memory Threat Prevention Alert: Shellcode Injection",
    "process": {
        "Ext": {
            "ancestry": [
                "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTEzNzg4LTE2ODIwNjUxMTIuMjY5MjkzNzAw",
                "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTEwMjEyLTE2ODIwNjUxMTIuMjUxMjA3MDAw",
                "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTYyMTItMTY4MTcwODk1MC40MDg2NDk2MDA=",
                "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTMyNDAtMTY4MTI5MzM5Ny4xNjAzODQ3MDA="
            ],
            "architecture": "x86",
            "code_signature": [
                {
                    "exists": false
                }
            ],
            "dll": [
                {
                    "Ext": {
                        "code_signature": [
                            {
                                "exists": false
                            }
                        ],
                        "mapped_address": 9502720,
                        "mapped_size": 122880
                    },
                    "code_signature": {
                        "exists": false
                    },
                    "hash": {
                        "md5": "b2d4e40a3ab592e7c0e5ed353ab85836",
                        "sha1": "7a7fbc6d0f4bdc225bfda2710611135aa79d9a6f",
                        "sha256": "c8fd1c0a2db5706798f0b2c9e64afb37e09465d7198d2ad8e47b5b288f526e64"
                    },
                    "name": "test_shellcode_thread.exe",
                    "path": "C:\\test_shellcode_thread.exe"
                },
                {
                    "Ext": {
                        "code_signature": [
                            {
                                "exists": true,
                                "status": "trusted",
                                "subject_name": "Microsoft Windows",
                                "trusted": true
                            }
                        ],
                        "mapped_address": 140715743051776,
                        "mapped_size": 2064384
                    },
                    "code_signature": {
                        "exists": true,
                        "status": "trusted",
                        "subject_name": "Microsoft Windows",
                        "trusted": true
                    },
                    "hash": {
                        "md5": "821267661ab8ad7c9ad1d3d44debab08",
                        "sha1": "959735a57905cb6037af73cb29a4cf99fb5f95fe",
                        "sha256": "fdb2689bffabe7d2e300882ca1c3fc2fe24a998ffcbd5f48795c7d95712d1e98"
                    },
                    "name": "ntdll.dll",
                    "path": "C:\\Windows\\SYSTEM32\\ntdll.dll"
                },
                {
                    "Ext": {
                        "code_signature": [
                            {
                                "exists": true,
                                "status": "trusted",
                                "subject_name": "Microsoft Windows",
                                "trusted": true
                            }
                        ],
                        "mapped_address": 140715731648512,
                        "mapped_size": 364544
                    },
                    "code_signature": {
                        "exists": true,
                        "status": "trusted",
                        "subject_name": "Microsoft Windows",
                        "trusted": true
                    },
                    "hash": {
                        "md5": "1e7b3d6ac48b07fb48cc0338c2f5681c",
                        "sha1": "67af32b8b2ed35f54efbd122ed864d79986c331f",
                        "sha256": "ffacd54cbb38ccdbc25804a2533fa3771f384a0fd8e5469efad4dfaa1ce923b1"
                    },
                    "name": "wow64.dll",
                    "path": "C:\\Windows\\System32\\wow64.dll"
                },
                {
                    "Ext": {
                        "code_signature": [
                            {
                                "exists": true,
                                "status": "trusted",
                                "subject_name": "Microsoft Windows",
                                "trusted": true
                            }
                        ],
                        "mapped_address": 140715714084864,
                        "mapped_size": 536576
                    },
                    "code_signature": {
                        "exists": true,
                        "status": "trusted",
                        "subject_name": "Microsoft Windows",
                        "trusted": true
                    },
                    "hash": {
                        "md5": "28a6f8bc61c5a72df6343faaf2b1b056",
                        "sha1": "13ef8ccac99ef9560acd7061b24fd39da0faf891",
                        "sha256": "2fac8cc3653c2e9747864417c65ea02745f5653c3608fc115ad756199ab22bc0"
                    },
                    "name": "wow64win.dll",
                    "path": "C:\\Windows\\System32\\wow64win.dll"
                },
                {
                    "Ext": {
                        "code_signature": [
                            {
                                "exists": true,
                                "status": "trusted",
                                "subject_name": "Microsoft Windows",
                                "trusted": true
                            }
                        ],
                        "mapped_address": 1998585856,
                        "mapped_size": 40960
                    },
                    "code_signature": {
                        "exists": true,
                        "status": "trusted",
                        "subject_name": "Microsoft Windows",
                        "trusted": true
                    },
                    "hash": {
                        "md5": "5184b7fd218777571abcb3e0319f48c6",
                        "sha1": "4874200ab74ef5a4a583f1fd70f5ae866d3b8b63",
                        "sha256": "730ac79cc90b35ea9153eae399313f10fc55b6debed7e93d429fbc9d7de5ef19"
                    },
                    "name": "wow64cpu.dll",
                    "path": "C:\\Windows\\System32\\wow64cpu.dll"
                },
                {
                    "Ext": {
                        "code_signature": [
                            {
                                "exists": false
                            }
                        ],
                        "mapped_address": 9502720,
                        "mapped_size": 122880
                    },
                    "code_signature": {
                        "exists": false
                    },
                    "hash": {
                        "md5": "b2d4e40a3ab592e7c0e5ed353ab85836",
                        "sha1": "7a7fbc6d0f4bdc225bfda2710611135aa79d9a6f",
                        "sha256": "c8fd1c0a2db5706798f0b2c9e64afb37e09465d7198d2ad8e47b5b288f526e64"
                    },
                    "name": "test_shellcode_thread.exe",
                    "path": "C:\\test_shellcode_thread.exe"
                },
                {
                    "Ext": {
                        "code_signature": [
                            {
                                "exists": true,
                                "status": "trusted",
                                "subject_name": "Microsoft Windows",
                                "trusted": true
                            }
                        ],
                        "mapped_address": 1998651392,
                        "mapped_size": 1720320
                    },
                    "code_signature": {
                        "exists": true,
                        "status": "trusted",
                        "subject_name": "Microsoft Windows",
                        "trusted": true
                    },
                    "hash": {
                        "md5": "ba505d57c0fb729d0df912a8c443adb5",
                        "sha1": "c61f28dd2aa388e19feef2e81d391a76229b8c44",
                        "sha256": "d43f5ed957292bb8a6a69f1c4fff812976f70852872d85ae9820a762343c5f46"
                    },
                    "name": "ntdll.dll",
                    "path": "C:\\Windows\\SysWOW64\\ntdll.dll"
                },
                {
                    "Ext": {
                        "code_signature": [
                            {
                                "exists": true,
                                "status": "trusted",
                                "subject_name": "Microsoft Windows",
                                "trusted": true
                            }
                        ],
                        "mapped_address": 1976434688,
                        "mapped_size": 983040
                    },
                    "code_signature": {
                        "exists": true,
                        "status": "trusted",
                        "subject_name": "Microsoft Windows",
                        "trusted": true
                    },
                    "hash": {
                        "md5": "c5f4b80bd0423a8949db62bfca3ed178",
                        "sha1": "e86c6b7507939f90d263e0ea05ac3c36845fc3a4",
                        "sha256": "2ba6ca6f0c5ce8423bd5d10cc6a99af16c7d4ee6a93201f7101d9d82e6452d30"
                    },
                    "name": "KERNEL32.DLL",
                    "path": "C:\\Windows\\SysWOW64\\KERNEL32.DLL"
                },
                {
                    "Ext": {
                        "code_signature": [
                            {
                                "exists": true,
                                "status": "trusted",
                                "subject_name": "Microsoft Windows",
                                "trusted": true
                            }
                        ],
                        "mapped_address": 1965948928,
                        "mapped_size": 2240512
                    },
                    "code_signature": {
                        "exists": true,
                        "status": "trusted",
                        "subject_name": "Microsoft Windows",
                        "trusted": true
                    },
                    "hash": {
                        "md5": "b6b506c8a7e32c075a713f61bf832676",
                        "sha1": "87554d0323c40accc5ade2896535264b341766d9",
                        "sha256": "1e5fc12aa6644812f07a71df322bf9b7779deb7ce4e01db45f71cb87b2053d25"
                    },
                    "name": "KERNELBASE.dll",
                    "path": "C:\\Windows\\SysWOW64\\KERNELBASE.dll"
                }
            ],
            "protection": "",
            "token": {
                "domain": "WINDOWS-DEV",
                "elevation": true,
                "elevation_type": "full",
                "integrity_level_name": "high",
                "sid": "S-1-5-21-808390715-165647297-874774755-1001",
                "user": "johnu"
            },
            "user": "johnu"
        },
        "args": [
            "C:\\test_shellcode_thread.exe"
        ],
        "args_count": 1,
        "code_signature": {
            "exists": false
        },
        "command_line": "C:\\test_shellcode_thread.exe",
        "entity_id": "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTE5MTE2LTE2ODIwNjUyNTUuOTk4MTAyMjAw",
        "executable": "C:\\test_shellcode_thread.exe",
        "hash": {
            "md5": "b2d4e40a3ab592e7c0e5ed353ab85836",
            "sha1": "7a7fbc6d0f4bdc225bfda2710611135aa79d9a6f",
            "sha256": "c8fd1c0a2db5706798f0b2c9e64afb37e09465d7198d2ad8e47b5b288f526e64"
        },
        "name": "test_shellcode_thread.exe",
        "parent": {
            "Ext": {
                "architecture": "x86_64",
                "code_signature": [
                    {
                        "exists": true,
                        "status": "trusted",
                        "subject_name": "Python Software Foundation",
                        "trusted": true
                    }
                ],
                "protection": "",
                "user": "johnu"
            },
            "args": [
                "C:\\Program Files\\Python39\\python.exe"
            ],
            "args_count": 6,
            "code_signature": {
                "exists": true,
                "status": "trusted",
                "subject_name": "Python Software Foundation",
                "trusted": true
            },
            "command_line": "\"C:\\Program Files\\Python39\\python.exe\"",
            "entity_id": "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTEzNzg4LTE2ODIwNjUxMTIuMjY5MjkzNzAw",
            "executable": "C:\\Program Files\\Python39\\python.exe",
            "hash": {
                "md5": "3412d601e0fab94e2360f57e62f7cbba",
                "sha1": "ddfd60ea7fad94ab091c5baf4b0085ea5ce38e35",
                "sha256": "bbb3b40c1eb203be1068e882708f1353c2b41ec166746db01375885cb25ff7c1"
            },
            "name": "python.exe",
            "pid": 13788,
            "ppid": 10212,
            "start": "2023-04-21T08:18:32.2692937Z",
            "uptime": 144
        },
        "pe": {},
        "pid": 19116,
        "ppid": 13788,
        "start": "2023-04-21T08:20:55.9981022Z",
        "thread": {
            "Ext": {
                "call_stack": [
                    {
                        "instruction_pointer": 1999121116,
                        "memory_section": {
                            "memory_address": 1998655488,
                            "memory_size": 1187840,
                            "protection": "R-X"
                        },
                        "module_name": "ntdll.dll",
                        "module_path": "c:\\windows\\syswow64\\ntdll.dll",
                        "symbol_info": "c:\\windows\\syswow64\\ntdll.dll!NtWaitForSingleObject+0xc"
                    },
                    {
                        "instruction_pointer": 1967080857,
                        "memory_section": {
                            "memory_address": 1967079424,
                            "memory_size": 860160,
                            "protection": "R-X"
                        },
                        "module_name": "kernelbase.dll",
                        "module_path": "c:\\windows\\syswow64\\kernelbase.dll",
                        "symbol_info": "c:\\windows\\syswow64\\kernelbase.dll!WaitForSingleObjectEx+0x99"
                    },
                    {
                        "instruction_pointer": 1967080690,
                        "memory_section": {
                            "memory_address": 1965953024,
                            "memory_size": 1986560,
                            "protection": "R-X"
                        },
                        "module_name": "kernelbase.dll",
                        "module_path": "c:\\windows\\syswow64\\kernelbase.dll",
                        "symbol_info": "c:\\windows\\syswow64\\kernelbase.dll!WaitForSingleObject+0x12"
                    },
                    {
                        "instruction_pointer": 9507414,
                        "memory_section": {
                            "memory_address": 9506816,
                            "memory_size": 69632,
                            "protection": "R-X"
                        },
                        "module_name": "test_shellcode_thread.exe",
                        "module_path": "C:\\test_shellcode_thread.exe",
                        "symbol_info": "C:\\test_shellcode_thread.exe!0x911256"
                    },
                    {
                        "instruction_pointer": 9508208,
                        "memory_section": {
                            "memory_address": 9506816,
                            "memory_size": 69632,
                            "protection": "R-X"
                        },
                        "module_name": "test_shellcode_thread.exe",
                        "module_path": "C:\\test_shellcode_thread.exe",
                        "symbol_info": "C:\\test_shellcode_thread.exe!0x911570"
                    },
                    {
                        "instruction_pointer": 9508718,
                        "memory_section": {
                            "memory_address": 9506816,
                            "memory_size": 69632,
                            "protection": "R-X"
                        },
                        "module_name": "test_shellcode_thread.exe",
                        "module_path": "C:\\test_shellcode_thread.exe",
                        "symbol_info": "C:\\test_shellcode_thread.exe!0x91176E"
                    },
                    {
                        "instruction_pointer": 1976565913,
                        "memory_section": {
                            "memory_address": 1976500224,
                            "memory_size": 417792,
                            "protection": "R-X"
                        },
                        "module_name": "kernel32.dll",
                        "module_path": "c:\\windows\\syswow64\\kernel32.dll",
                        "symbol_info": "c:\\windows\\syswow64\\kernel32.dll!BaseThreadInitThunk+0x19"
                    },
                    {
                        "instruction_pointer": 1999076206,
                        "memory_section": {
                            "memory_address": 1998655488,
                            "memory_size": 1187840,
                            "protection": "R-X"
                        },
                        "module_name": "ntdll.dll",
                        "module_path": "c:\\windows\\syswow64\\ntdll.dll",
                        "symbol_info": "c:\\windows\\syswow64\\ntdll.dll!RtlGetAppContainerNamedObjectPath+0x11e"
                    },
                    {
                        "instruction_pointer": 1999076158,
                        "memory_section": {
                            "memory_address": 1998655488,
                            "memory_size": 1187840,
                            "protection": "R-X"
                        },
                        "module_name": "ntdll.dll",
                        "module_path": "c:\\windows\\syswow64\\ntdll.dll",
                        "symbol_info": "c:\\windows\\syswow64\\ntdll.dll!RtlGetAppContainerNamedObjectPath+0xee"
                    }
                ],
                "call_stack_final_user_module": {
                    "code_signature": [
                        {
                            "exists": false
                        }
                    ],
                    "hash": {
                        "sha256": "c8fd1c0a2db5706798f0b2c9e64afb37e09465d7198d2ad8e47b5b288f526e64"
                    },
                    "name": "test_shellcode_thread.exe",
                    "path": "C:\\test_shellcode_thread.exe"
                },
                "call_stack_summary": "ntdll.dll, kernelbase.dll, test_shellcode_thread.exe, kernel32.dll, ntdll.dll",
                "start_address": 9508836,
                "start_address_module": "C:\\test_shellcode_thread.exe"
            },
            "id": 22716
        },
        "uptime": 1
    },
    "rule": {
        "ruleset": "production"
    },
    "user": {
        "domain": "WINDOWS-DEV",
        "name": "johnu"
    }
}

@tsale tsale added under review Evaluating proposal and removed waiting for info Further information is requested labels Apr 24, 2023
@tsale
Copy link
Owner

tsale commented Apr 24, 2023

Thanks for that @jdu2600. I did have a look and I can confirm that, unlike what the article suggests, other EDR are also monitoring for this activity. Although it would be a good practise to track all different variations of thread activities, this can get out of hand very quickly. We are planning to include one more level to the current sub-categories. We could change the "Remote Thread Creation" to "Thread Activities" and include all variations. But that is just too much for this stage of the project. We can re-evaluate this then.

Thanks again for submitting the information and contributing to this project, appreciate it!

@tsale tsale closed this Apr 24, 2023
@jdu2600
Copy link
Contributor Author

jdu2600 commented Apr 24, 2023

Noted.

Though perhaps the current category should be updated to Thread Creation now?
Sysmon would then have an 🟧 and each other vendor could be updated as appropriate?

@tsale tsale reopened this Apr 24, 2023
@tsale
Copy link
Owner

tsale commented Apr 24, 2023

Thanks for understanding. I re-opened this PR to consider the change for the sub-category name from "Remote Thread Creation" to "Thread Creation".

@jdu2600 - Could you please provide a justification as to why you would like Sysmon to have an "Partially Implemented" mark instead of a "Implemented"? This justification would have to make its way to the official notes for the main table.

@inodee - Any objections here for this change to the sub-category? Makes sense?

@jdu2600
Copy link
Contributor Author

jdu2600 commented Apr 24, 2023

The sysmon documentation indicates that its Event ID 8 is Remote Thread Creation only - not Thread Creation more generally.

@tsale
Copy link
Owner

tsale commented Apr 24, 2023

Good enough for me. For the record, difference explained here:

Thread creation refers to the process of creating a new thread within the same application or process. Remote thread creation, on the other hand, involves creating a new thread within a different process.

@jdu2600, could you please edit your proposed changes by only renaming the Sub-Category field to "Thread Creation" and change only the Sysmon value from "Yes" to "Partially"? Thanks!

@jdu2600
Copy link
Contributor Author

jdu2600 commented Apr 25, 2023

Done.

Are we confident that Crowdstrike/LimaCharlie/MDE/S1/WatchGuard all monitor local thread creations?

@tsale
Copy link
Owner

tsale commented Apr 25, 2023

Thanks. No, we will need to validate, I would not commit just yet. I also would like a second approver for this (@inodee)

@jdu2600 - Can you propose a testing method for this?

@tsale tsale added the help wanted Extra attention is needed label Apr 25, 2023
@jdu2600
Copy link
Contributor Author

jdu2600 commented Apr 26, 2023

The simplest test would be to see if telemetry is generated for a local unbacked thread.

C++ snippet -

const char shellcode[] = {        // return(42)
    0xb8, 0x2a, 0x00, 0x00, 0x00, // mov eax, 42
    0xc3                          // ret
};

auto pRWX = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(pRWX, shellcode, sizeof(shellcode));
(void)CreateThread(NULL, 0, pRWX, NULL, 0, NULL);

@inodee
Copy link
Collaborator

inodee commented Apr 26, 2023

It seems like we indeed need a dedicated cat for "Thread Activities"! Thanks @jdu2600 for your contribs! Yes, we need to validate/adjust the others.

@tsale tsale added the On-hold Further investigation needed label Apr 27, 2023
@tsale tsale removed the under review Evaluating proposal label Mar 2, 2024
@jdu2600
Copy link
Contributor Author

jdu2600 commented Oct 24, 2024

Or a python one-liner if that is simpler.
python -c "import ctypes,time; k32=ctypes.windll.kernel32; VA = k32.VirtualAlloc; VA.restype = ctypes.c_void_p; buf = VA(None, 4096, 0x1000, 0x40); ctypes.memmove(buf,'\xc3',1); k32.CreateThread(None,0,buf,None,0,None); time.sleep(1)"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tsale tsale Awaiting requested review from tsale

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
enhancement New feature or request help wanted Extra attention is needed On-hold Further investigation needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jdu2600 @tsale @inodee