ClrGuard

itman · Sep 30, 2017

Interesting new tool in development:

ClrGuard is a proof of concept project to explore instrumenting the Common Language Runtime (CLR) for security purposes. ClrGuard leverages a simple appInit DLL (ClrHook32/64.dll) in order to load into all CLR/.NET processes. From there, it performs an in-line hook of security critical functions. Currently, the only implemented hook is on the native LoadImage() function. When events are observed, they are sent over a named pipe to a monitoring process for further introspection and mitigation decision.

To jump in and play with ClrGuard, you can copy the dist\ folder to a virtual machine and run the install.bat script. Next, start the ClrGuard.exe process to complete the installation. The default block action is hard-coded in ClrGuard.h. You could also specific the "-i" parameter to install ClrGuard.exe as a service.

It is not recommended to run this tool in a production environment.
Click to expand...

https://github.com/endgameinc/ClrGuard

Casey Smith recently tested it against an exploited MSBuild exec with Mimikatz Inside

CLRGuard - Let's Kick the Door Down. Part One

I really like this tool! Let me start with that. ;-)

I really appreciate Joe Desimone ( @dez_ ) and EndGame making this available open source.

First, check this DerbyCon 2017 Talk out, it will help you have the necessary background.

Lets look at the tool. Its pretty straight forward to deploy for your testing.

I wanted to show you how this tool can disrupt the MSBuild attacks I have been working on.

The feature that I have abused in the past execute .NET assemblies in memory, is called Inline Tasks

Lets see what happens when we try to run Mimikatz Inside MSBuild:

BOOM!

I will do another post in the future to go over the internals and some bypasses (I may have found a one or two ).

This is a great training tool. When you find bypasses to this type of defense, it will lead you to better capabilities as an attacker. I encourage you to dig in and learn from this prototype. Really good stuff.

This is one of the first tools, I've seen to directly challenge the tactics I am using in .NET to block the capability.
Click to expand...

http://subt0x10.blogspot.com/

WildByDesign · Sep 30, 2017

This is not recommended for production systems yet but has tremendous potential for blocking many .NET/C# related application whitelisting bypasses which are typically nearly impossible to control. I've been playing with ClrGuard for a couple of days now and following with a good amount of curiosity.

EASTER · Sep 30, 2017

Like these new experimental concepts. The more the merrier.

@WildByDesign is quite right it has excellent potential!

itman · Oct 1, 2017

The concept behind CLRGuard is good. Its current execution method is not. Nor is it new or unique. Zemana Anti-logger loads its hook .dll into at process startup via AppInitDll reg. key. Anything sitting in AppInitDll reg. key is a security risk and Microsoft deprecated its use some time ago. Malware can and has modified settings in that reg. key including removal of security software hooks resident there.

Enhancements are need to set the hook dynamically and only in vulnerable Windows processes such as system utilities that are currently being abused by malware developers. The most common tactic being to hide the UAC evaluation request.

itman · Oct 1, 2017

This is a summary of most of the MSBuild bypasses: https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/ . Of note is MSBuild's use of PShell

WildByDesign · Oct 10, 2017

A nice article about capturing details of in memory .NET attacks and some coverage of ClrGuard as well.

Hunting For In-Memory .NET Attacks
Link: https://www.endgame.com/blog/technical-blog/hunting-memory-net-attacks

In past blog posts, we shared our approach to hunting for traditional in-memory attacks along with in-depth analysis of many injection techniques. As a follow up to my DerbyCon presentation, this post will investigate an emerging trend of adversaries using .NET-based in-memory techniques to evade detection. I’ll discuss both eventing (real-time) and on-demand based detection strategies of these .NET techniques. At Endgame, we understand that these differing approaches to detection and prevention are complimentary, and together result in the most robust defense against in-memory attacks.
Click to expand...

itman · Oct 10, 2017

I am somewhat distressed over the AV vendors lack of attention to .Net based malware. I hope CLRGuard will at least point then in the right direction. Also using dynamic versus static hooking since permanent hooks can be disabled.

itman · Oct 11, 2017

Even if .Net malware can be eventually successfully detected, you can be attacked prior to .Net process execution:

Attacking the CLR - AppDomainManager Injection

I have been interested in attacking CLR to be able to manipulate .NET apps, like PowerShell. For example using .NET profilers here:

Recently I was reading this article about the CLR and execution events:

http://mattwarren.org/2017/02/07/Th...-before-executing-a-single-line-of-your-code/

One of the interesting things I stumbled on was this reference to CLR tuning:

https://github.com/dotnet/coreclr/blob/master/Documentation/project-docs/clr-configuration-knobs.md

Of particular interest I saw these environment variables that can be set. You can also set these in an app.config file.

https://4.bp.blogspot.com/-opt_Z3_or_A/WT85BCEp47I/AAAAAAAABkw/W-1cVGrApD4AzRvMS9iCDThvIkzKS-sMQCLcB/s400/Screen%2BShot%2B2017-06-12%2Bat%2B6.58.50%2BPM.png

AppDomain Managers are interesting in that they setup the environment, before your .NET app runs.

I'll keep this short. You can manipulate the runtime, by getting your code to execute prior to the application.

Here's some code.

This also can work against PowerShell.exe too. ;-)
Click to expand...

http://subt0x10.blogspot.com/2017/06/attacking-clr-appdomainmanager-injection.html

WildByDesign · Apr 2, 2018

Updated build today to add a hook for the LoadModule function as it was recently shown to have abuse potential as discovered by Matt Graeber.(@mattifestation).

Link: https://github.com/endgameinc/ClrGuard/tree/master/dist

Regarding: https://twitter.com/dez_/status/980809640161267717
* see thread and go to top

The real meat and potatoes: https://gist.github.com/mattifestation/8958b4c18d8bca9e221b29252cfee26b
A stealthier method of loading a .NET PE in memory - via the Assembly.LoadModule method

Log in or Sign up

ClrGuard

itman Registered Member

WildByDesign Registered Member

EASTER Registered Member

itman Registered Member

itman Registered Member

WildByDesign Registered Member

itman Registered Member

itman Registered Member

WildByDesign Registered Member

Log in or Sign up

ClrGuard

itman Registered Member

WildByDesign Registered Member

EASTER Registered Member

itman Registered Member

itman Registered Member

WildByDesign Registered Member

itman Registered Member

itman Registered Member

WildByDesign Registered Member

Useful Searches