[Memory Protection] Add fields for trampoline detection. #344
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Contributor
💚 Build Succeeded
Expand to view the summary
Build stats
🤖 GitHub commentsExpand to view the GitHub comments
To re-run your PR in the CI, just comment with:
|
joeypoon approved these changes Mar 1, 2023
Contributor
| Package endpoint - 8.8.0 containing this change is available at https://epr.elastic.co/search?package=endpoint |
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
Change Summary
This PR adds 6 new fields to the memory protection alert:
Target.process.thread.Ext.original_start_addressTarget.process.thread.Ext.original_start_address_allocation_offsetTarget.process.thread.Ext.original_start_address_bytesTarget.process.thread.Ext.original_start_address_bytes_disasmTarget.process.thread.Ext.original_start_address_bytes_disasm_hashTarget.process.thread.Ext.original_start_address_moduleThose fields come to complement the current ones similarly named:
Target.process.thread.Ext.start_addressTarget.process.thread.Ext.start_address_allocation_offsetTarget.process.thread.Ext.start_address_bytesTarget.process.thread.Ext.start_address_bytes_disasmTarget.process.thread.Ext.start_address_bytes_disasm_hashTarget.process.thread.Ext.start_address_moduleThe new fields are populated when a trampoline sequence is detected within the shellcode that triggered the alert, by attempting to resolve the effective address (and offset, module, etc.). A trampoline sequence currently corresponds to a series of basic control flow instructions (
jmp,ret, etc.), and stack intructions (see https://github.com/elastic/endpoint-dev/issues/10807 for complete list of the currently instructions).Sample values
Sample document
{ "@timestamp": "2023-02-13T23:56:49.8605525Z", "Endpoint": { "policy": { "applied": { "artifacts": { "global": {}, "user": {} } } } }, "Memory_protection": { "cross_session": false, "feature": "shellcode_thread", "parent_to_child": false, "self_injection": true, "unique_key_v1": "a2db7d87471280d0c472834b0bb1648b624b3eb18ecdc23855463f820664c97f" }, "Target": { "process": { "Ext": { "memory_region": { "allocation_base": 67174400, "allocation_protection": "RWX", "allocation_size": 67108864, "allocation_type": "PRIVATE", "mapped_path": "Unbacked", "region_base": 67174400, "region_protection": "RWX", "region_size": 4096, "region_state": "COMMIT", "strings": [ "This is the magic shellcode string" ] } }, "thread": { "Ext": { "original_start_address": 67174400, "original_start_address_allocation_offset": 0, "original_start_address_bytes": "e93b00000000cccccccccccccccccccccccccccccccccccccccccccccccccccc", "original_start_address_bytes_disasm": "jmp 0x0000000000000040\nadd ah, cl\nint3\nint3\nint3\nint3\nint3\nint3\nint3\nint3\nint3\nint3\nint3\nint3\nint3\nint3", "original_start_address_bytes_disasm_hash": "4616434e499cb901bfaa6147b50365ab4e170b456ab8318d0288962c9738b6ed", "original_start_address_module": "Unbacked", "parameter": 140702510342160, "start_address": 67174528, "start_address_allocation_offset": 128, "start_address_bytes": "c3cc0000cccccccccccccccccccccccccccccccccccccccccccccccccccccccc", "start_address_bytes_disasm": "ret\nint3\nadd byte ptr [rax], al\nint3\nint3\nint3\nint3\nint3\nint3\nint3\nint3\nint3\nint3\nint3\nint3\nint3", "start_address_bytes_disasm_hash": "aacb1c801f9030f799e2f7350f053ebb760d42cbe81cd65021063c1c4d1a9c9c", "start_address_module": "Unbacked" } } } }, "agent": { "build": { "original": "version: 8.7.0-SNAPSHOT, compiled: Fri Feb 10 16:00:00 2023, branch: calladoum/vs2022_using_findwdk, commit: 7089e8ef1967710e88448384eaf463b9814e2d0d" }, "id": "", "type": "endpoint", "version": "8.7.0-SNAPSHOT" }, "data_stream": { "dataset": "", "namespace": "", "type": "" }, "ecs": { "version": "1.11.0" }, "elastic": { "agent": { "id": "" } }, "event": { "action": "start", "category": [ "malware", "intrusion_detection" ], "code": "shellcode_thread", "created": "2023-02-13T23:56:49.8605525Z", "dataset": "", "kind": "alert", "module": "endpoint", "risk_score": 99, "sequence": 46, "severity": 99, "type": [ "info", "allowed" ] }, "host": { "architecture": "x86_64", "hostname": "", "id": "", "name": "", "os": { "Ext": { "variant": "" }, "family": "", "full": "", "kernel": "", "name": "Windows", "platform": "", "type": "windows", "version": "" } }, "message": "Memory Threat Detection Alert: Shellcode Injection", "process": { "Ext": { "architecture": "x86_64" }, "architecture": "x86_64", "pid": 14300, "start": 1676332513, "thread": {} }, "rule": { "ruleset": "production" } }Release Target
8.8