CFO’s need to Evaluate and Prioritize Cybersecurity Initiatives
In CFO, Adam Zaki talks to White Knight Labs CEO, Greg Hatcher, about the concerns and increasing risk that companies are facing. With control of the purse strings and many times also overseeing the IT organization, the CFO is becoming more involved in discussions of technology and risk mitigation that differ from the financial roots of the position. Adam points out that “many CFOs and other C-suite members are still unsure how to handle large amounts of increasingly valuable data. “ Read the entire article
Innovation and Leadership
In an article published by Voyage New York, Blanch Sheldon takes a look at the beginning of White Knight Labs, some of the great work that White Knight Labs has done in prevention of zero day exploits and the related ransomware attacks, and touches on the “Upcoming Crusades”. Read the full article
Offensive Development w/ Greg Hatcher & John Stigerwalt
A Training program led by the co-founders of White Knight Labs Dive deep into cutting edge techniques that bypass or neuter modern endpoint defenses. Learn how these solutions work to mitigate their utility and hide deep within code on the endpoint. The days of downloading that binary from the internet and pointing it at a remote machine are over. Today’s defenses oftentimes call for multiple bypasses within a single piece of code. This course is designed to take you deep into defensive and offensive tooling – an apex attacker must know the own indicators of compromise (IOCs) they’re creating and the artifacts they’re leaving behind. For more information
White Knight Labs sponsors CSA West Michigan St. Patrick’s Bash
ChatGPT and the security risks of Generative AI
A recent Salesforce.com survey found that 67% of 500 senior IT leaders surveyed are prioritizing Generative AI technology for their organizations during the next 18 months, but the same survey found that 71% of those leaders believe the same technology is likely to “introduce new security risks to our data.” Did you see that? 71% Read full article at Fierce Electronics
AASLR: Hiding Your Malware’s Strings and Imports
Ryan from Black Hills Information Security and Greg Hatcher, co-founder of White Knight Labs, discussing AASLR (Antisyphon Address Space Layout Randomization)
Episode 10 – Really Bad Security
In E10 of Really Bad Security Matt, Aaron and Anthony talk with co-founders of White Knight Labs Greg Hatcher and John Stigerwalt. Greg and John walk us through the configurations of a C2 server, AWS configurations and how you may be leaving yourself vulnerable to attack.
Insights into Cyber Security and Business Strategy at White Knight Labs
White Knight Co-Founder Greg Hatcher discusses how White Knight Labs (WKL) differentiates itself from other cybersecurity companies by hiring senior or principal-level engineers. The goal is not just to have engineers hack into clients’ networks, but also to be there for them every step of the way providing customized solutions that meet their specific needs. WKL has undertaken several successful projects that have helped clients overcome specific cybersecurity challenges. The team’s deep technical bench allows them to develop custom software for complex red team engagements, setting them apart from other cybersecurity companies. Read the full article, written by Sandra Morris at Texas Today. Read full article at Texas Today
Clutch Highlights White Knight Labs as A Top B2B Company in Pennsylvania
Our team began almost five years ago to give companies the best possible digital experience. After all this time, we’re happy to report that not only are we making progress, we’re making a real difference in the lives of our clients. This is proven by the fact that they helped us get selected as one of the top B2B companies in Pennsylvania for 2022 by Clutch Clutch is an online B2B review and rating platform based in Washington DC. They employ a unique verification process to test the legitimacy of the information sent to them. Those that pass get published as reviews on the website. The 2022 leading companies are the ones that earned the most high-quality reviews and feedback from their clients. This is one of the fairest systems in the B2B industry in our opinion. It places the power in people who have direct experience with our services. This means everything to my company. This is fantastic. John Stigerwalt, Founder of White Knight Labs It’s for this reason that we want to thank all our clients both pastg and current for supporting us throughout this incredible journey. It was only through their patronage and feedback that we’re able to achieve this unique award and keep us on the right track. Expectations for our team will undoubtedly get higher because of this. But we are more than ready for what’s to come. We have the skills and expertise to make a real positive difference for all our future projects and partners. Learn more about our services and how you can benefit from bringing us onboard by visiting our website. Contact us today and get a free consultation at your earliest convenience. We look forward to working with you soon. Get a Customized Proposal Use our Scoping Questionnaire to provide us with the necessary information to put together a proposal for you. Please be as thorough as possible with your responses, as it helps us ensure an accurate and complete proposal.
Bypassing ETW For Fun and Profit
EDR products have the option of using multiple sources to collect information on a Widows operating system. One of these log sources is ETW (Event Tracing for Windows). ETW consumers are now integrated into many EDR endpoint agents in order to receive CLR Runtime traces. As opposed to other mainstream threat detection and prevention products that hook commonly abused Windows API calls in userland, ATP has hooks that operate within the kernel. ATP relies heavily on ETW calls. Event Tracing for Windows (ETW) is an efficient kernel-level tracing facility that lets you log kernel or application-defined events to a log file. You can consume the events in real time or from a log file and use them to debug an application or to determine where performance issues are occurring in the application. 1 ETW vs AMSIThere is a common misconception that ETW is challenging to bypass in a process because it runs in kernel mode, juxtaposed to the AMSI.dll which runs in user mode. However, this is incorrect because the Microsoft .NET runtime provider sends logs in JSON format from the .NET runtime to any subscribers of that provider. A provider can be the Windows OS or any AV/EDR product that can consume the ETW JSON logs. This means that ETW can be bypassed in-process, just like the AMSI. ETW is not strings detection-based, if you’re using C# it’s gathering information like namespace names, class names, and method names. Renaming all of these in your code is a great first step for bypassing ETW. AMSI (Anti Malware Scan Interface) supports file and memory scanning for known malicious strings – it is built directly into Windows Defender. However, AMSI is agnostic of antimalware vendor, third party vendors can write their own AMSI provider to extend AMSI’s functionality as they see fit. A great example of creating a custom AMSI provider is the SimpleAMSI Provider project from pathtofile. CarbonBlack and SentinelOne both write their own custom AMSI providers. This creates challenges for the attacker when testing payloads locally due to not having that vendor’s custom AMSI.dll, unless you purchase that product. We’ll begin by opening up ntdll.dll in the disassembler and filtering the exports for ETW functions. The two most common functions that are called by Microsoft security products are EtwEventWrite and EtwEventWriteFull. Examining the EtwEventWrite API we see that EtwEventWriteFull is called, which in turn calls EtwpEventWriteFull: Recent research regarding ETW tampering involves patching the EtwEventWrite function by having it return before the function is called. Adam Chester of MDSEC goes over this method in this blog. Some common Github tools for patching ETW use this method to patch EtwEventWrite. From outflankl’s TamperETW project: From Flangvik’s NetLoader project : As we all know, offensive cyber is a game of cat and mouse. Companies that make EDR products and are now inspecting these commonly abused ETW functions for evidence of tampering within their address space. If script kiddies compile these projects without renaming functions or obfuscating the code, they will get caught immediately. Scrolling down within the disassembler we find a function named NtTraceEvent. Windows functions that begin with ‘Nt’ are functions that operate in userland but can call a function in the kernel. This type of function is known as a syscall. According to MSDN:The Windows native operating system services API is implemented as a set of routines that run in kernel mode. These routines have names that begin with the prefix Nt or Zw. Kernel-mode drivers can call these routines directly. User-mode applications can access these routines by using system calls. 2 Following the control flow of NtTraceEvent brings us to a syscall. Well, how about that. This function is the central switching point for writing an event through Event Tracing For Windows (ETW). Both the NtTraceEvent and ZwTraceEvent functions are exported by name from NTDLL. There, in user mode, the functions are aliases for a stub that transfers execution to the NtTraceEvent implementation in kernel mode such that the execution is recognised as originating in user mode. 3 Diagram of NtTraceEvent/zwTraceEvent transferring control to the kernel-version of NtTraceEvent: So technically we are not going to touch ETW, we will patch the syscall that ETW uses so that it loses the capability to write ETW events to the file system. We will do this by patching the NtTraceEvent function so that the syscall simply returns. The assembly code in the red box is never going to be called. We’ll start our PoC by finding the memory address of NtTraceEvent. We’ll use VirtualProtect 4 to change permissions on this segment in memory. If we set RWX permissions with VirtualProtect, that is usually an EDR trigger. However in this case, we’ll set RWX permissions and then return the permissions to RX. Then memcpy5 will be used to copy the opcode for a return into the buffer where NtTrace Event is located. We used the disassembler in order to find two pieces in the above code – the opcode for a return instruction (xc3), and the size of the memory region where NtTraceEvent resides. And the return: The assembly tells the story: we see the pointer being incremented by 3 to the NtTraceEvent memory region. Then there is a call to memcpy where a return instruction is copied into the region of memory holding NtTraceEvent. And the bottom of the assembler, VirtualProtect isused to return the permissions on the stack to RX. Immediately following the memcpy function in IDA reveals that the NtTraceEvent function is never called, it immediately returns. Remember the opcode for ret, xc3? As opposed to patching the high level ETW APIs like EtwEventWrite or EtwEventWriteFull, we shut down the syscall between user mode and kernel mode. Remember that EDRs are monitoring for tampering of commonly abused Windows APIs like those mentioned above. Obfuscation MethodThe other method for shutting ETW abilities is to obfuscate your .NET assembly. If you’re writing a .NET assembly, a common obfuscation technique is to use ConfuserEx. ConfuserEx does most of the leg work for