SlideShare ist ein Scribd-Unternehmen logo

Sandbox Evasion Cheat Sheet

T
Thomas Roccia

This is a best practice cheat sheet to avoid malware sandbox evasion.

Internet
1 von 2
Downloaden Sie, um offline zu lesen
Sandbox Best Practices Cheat Sheet Unprotect [Project] – unprotect.tdgt.org Thomas Roccia | @fr0gger_ VMWARE Change the default MAC address. Default first 3 bytes of MAC address of VMware: 00:0C:29 00:1C:14 00:50:56 00:05:69 Change or remove the following registry keys: HKLMHARDWAREDEVICEMAPScsiScsi Port 0Scsi Bus 0Target Id 0Logical Unit Id 0“Identifier”;“VMWARE” HKLMSOFTWAREVMware, Inc.VMware Tools HKLMHARDWAREDescriptionSystem "SystemBiosVersion";"VMWARE" HKEY_LOCAL_MACHINESYSTEMControlSet001 ControlClass{4D36E968-E325-11CE-BFC1- 08002BE10318}0000DriverDesc“Vmware SCSI Controller” HKEY_LOCAL_MACHINESYSTEMControlSet001 ControlClass{4D36E968-E325-11CE-BFC1- 08002BE10318}0000ProviderName“VMware, Inc.” Check the name or remove the following processes: VMwareService.exe Vmwaretray.exe TPAutoConnSvc.exe Vmtoolsd.exe Vmwareuser.exe Check the name of default paths or files: system32driversvmmouse.sys system32driversvmhgfs.sys Program FilesVMware VIRTUALBOX Change the default MAC address. Default first 3 bytes of MAC address of VirtualBox: 08:00:27 Change or remove the following registry keys: HKLMHARDWAREDEVICEMAPScsiScsi Port 0Scsi Bus 0Target Id 0Logical Unit Id 0"Identifier";"VBOX" HKLMHARDWAREDescriptionSystem"SystemBiosVersion";VBOX HKLMSOFTWAREOracleVirtualBox Guest Additions HKLMHARDWAREDescriptionSystem"VideoBiosVersion"; "VIRTUALBOX" HKLMHARDWAREACPIDSDTVBOX__ HKLMHARDWAREACPIFADTVBOX__ HKLMHARDWAREACPIRSDTVBOX__ HKLMHARDWAREDescriptionSystem“SystemBiosDate"; "06/23/99" HKLMSYSTEMControlSet001ServicesVBoxGuest HKLMSYSTEMControlSet001ServicesVBoxService HKLMSYSTEMControlSet001ServicesVBoxMouse HKLMSYSTEMControlSet001ServicesVBoxVideo Check the name or remove the following processes: vboxservice.exe vboxtray.exe vboxcontrol.exe Check the name of default paths or files: C:WINDOWSsystem32driversVBoxMouse.sys C:WINDOWSsystem32driversVBoxGuest.sys C:WINDOWSsystem32driversVBoxSF.sys C:WINDOWSsystem32driversVBoxVideo.sys C:WINDOWSsystem32vboxdisp.dll C:WINDOWSsystem32vboxhook.dll C:WINDOWSsystem32vboxmrxnp.dll C:WINDOWSsystem32vboxogl.dll C:WINDOWSsystem32vboxoglarrayspu.dll C:WINDOWSsystem32vboxoglcrutil.dll C:WINDOWSsystem32vboxoglerrorspu.dll C:WINDOWSsystem32vboxoglfeedbackspu.dll C:WINDOWSsystem32vboxoglpackspu.dll C:WINDOWSsystem32vboxoglpassthroughspu.dll Program Filesoraclevirtualbox guest additions QEMU Change or remove the following registry keys: HKLMHARDWAREDEVICEMAPScsiScsi Port 0Scsi Bus 0Target Id 0Logical Unit Id 0"Identifier";"QEMU" HKLMHARDWAREDescriptionSystem "SystemBiosVersion";"QEMU" PARALLELS Check the name or remove the following processes: prl_cc.exe prl_tools.exe VIRTUAL PC Check the name or remove the following processes: VMSrvc.exe VMUSrvc.exe CUCKOO Check the name or remove the following processes: Python.exe Pythonw.exe Check the name of default paths or files: C:cuckoo .pipecuckoo XEN Check the name or remove the following processes: xenservice.exe
WINE Change or remove the following registry key: HKLMSOFTWAREWine BOCHS Change or remove the following registry key: HKLMHARDWAREDescriptionSystem "SystemBiosVersion";"BOCHS" X86 INSTRUCTIONS The following Assembly instructions are used to detect Virtual Environment: SIDT SGDT SLDT SMSW STR CPUID IN VMCPUID RDTSC VPCEXT LOADED DLL Sandboxes are loaded DLL to perform actions on the system. Malware are able to detect these DLL. Check if the following DLL are loaded: sbiedll.dll (Sandboxie) api_log.dll (SunBelt SandBox) dir_watch.dll (SunBelt SandBox) pstorec.dll (SunBelt Sandbox) vmcheck.dll (Virtual PC) wpespy.dll (WPE Pro) GENERIC DETECTION Malware can detect a sandbox by different ways. The normal user activities should be reproducing to avoid detection. Reproduce or change the following elements to avoid detection: Mouse movement Office recent files Screen resolution Wallpaper Memory size Hard drive size Installed software Hostname USB drive Printer Number of processor MANUAL ANALYSIS Sandboxes can be used for automatic analysis but also for manual analysis. Rename the following analysis tools (NB: all the analysis tools can be detected by malware with the original process name): Wireshark.exe Ollydbg.exe ProcessHacker.exe TCPview.exe Autoruns.exe/Autorunsc.exe filemon.exe ProcMon.exe regmon.exe procexp.exe HookExplorer.exe SysInspector.exe PETools.exe DumpPcap.exe TIMING ATTACKS Malware can delay execution in order to avoid analysis or detection. Onset delay: Malware will delay execution to avoid analysis by the sandbox. Stalling code: Stalling code is typically executed before any malicious behaviour. Extended sleep code: Most of the sandbox have a defined time for the analysis. Malware will use a Sleep function with a big time to avoid analysis by the sandbox. TOOLS Different tools exist to harden a sandbox. Paranoid Fish: Pafish is a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do. https://github.com/a0rtega/pafish Al-Khaser: Al-khaser is a PoC malware with good intentions that aims to stress your sandbox system. https://github.com/LordNoteworthy/al- khaser RocProtect: RocProtect is a POC that emulates a sandbox environment to avoid infection by advanced malware. https://github.com/fr0gger/RocProtect-V1 Thomas Roccia | @fr0gger_ Version 1.1. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Empfohlen

Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML ApocalypseMario Heiderich
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 

Empfohlen

Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML ApocalypseMario Heiderich
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMBGA Cyber Security
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonnettitude_labs
 
malware analysis
malware analysismalware analysis
malware analysis20CS201AkashR
 
RAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial TradecraftRAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial Tradecraft⭕Alexander Rymdeko-Harvey
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA RulesLionel Faleiro
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationWill Schroeder
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
窺探職場上所需之資安專業技術與能力 Tdohconf
窺探職場上所需之資安專業技術與能力 Tdohconf窺探職場上所需之資安專業技術與能力 Tdohconf
窺探職場上所需之資安專業技術與能力 Tdohconfjack51706
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101Shahee Mirza
 
Introduction to Frida
Introduction to FridaIntroduction to Frida
Introduction to FridaAbhishekJaiswal270
 
Malware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual MachinesMalware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual Machinesintertelinvestigations
 
Network Manual
Network ManualNetwork Manual
Network ManualJason Myers
 

Weitere ähnliche Inhalte

Was ist angesagt?

Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMBGA Cyber Security
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonnettitude_labs
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationWill Schroeder
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
窺探職場上所需之資安專業技術與能力 Tdohconf
窺探職場上所需之資安專業技術與能力 Tdohconf窺探職場上所需之資安專業技術與能力 Tdohconf
窺探職場上所需之資安專業技術與能力 Tdohconfjack51706
 

Was ist angesagt? (20)

Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAM
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 
powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-london
 
malware analysis
malware analysismalware analysis
malware analysis
 
RAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial TradecraftRAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial Tradecraft
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA Rules
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
窺探職場上所需之資安專業技術與能力 Tdohconf
窺探職場上所需之資安專業技術與能力 Tdohconf窺探職場上所需之資安專業技術與能力 Tdohconf
窺探職場上所需之資安專業技術與能力 Tdohconf
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
 
Introduction to Frida
Introduction to FridaIntroduction to Frida
Introduction to Frida
 

Ähnlich wie Sandbox Evasion Cheat Sheet

Malware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual MachinesMalware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual Machinesintertelinvestigations
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Cache is King: Get the Most Bang for Your Buck From Ruby
Cache is King: Get the Most Bang for Your Buck From RubyCache is King: Get the Most Bang for Your Buck From Ruby
Cache is King: Get the Most Bang for Your Buck From RubyMolly Struve
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
 
Synack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware PersistenceSynack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware PersistenceIvan Einstein
 
Dns configuration on rhel 5
Dns configuration on rhel 5Dns configuration on rhel 5
Dns configuration on rhel 5Subin Selvaraj
 
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程Jimmy Chang
 
Salt Cloud vmware-orchestration
Salt Cloud vmware-orchestrationSalt Cloud vmware-orchestration
Salt Cloud vmware-orchestrationMo Rawi
 
Web Insecurity And Browser Exploitation
Web Insecurity And Browser ExploitationWeb Insecurity And Browser Exploitation
Web Insecurity And Browser ExploitationMichele Orru'
 
Trouble shooting apachecloudstack
Trouble shooting apachecloudstackTrouble shooting apachecloudstack
Trouble shooting apachecloudstackSailaja Sunil
 
Component pack 6006 install guide
Component pack 6006 install guideComponent pack 6006 install guide
Component pack 6006 install guideRoberto Boccadoro
 
Meder Kydyraliev - Mining Mach Services within OS X Sandbox
Meder Kydyraliev - Mining Mach Services within OS X SandboxMeder Kydyraliev - Mining Mach Services within OS X Sandbox
Meder Kydyraliev - Mining Mach Services within OS X SandboxDefconRussia
 
Kl 031.30 eng_class_setup_guide_1.2
Kl 031.30 eng_class_setup_guide_1.2Kl 031.30 eng_class_setup_guide_1.2
Kl 031.30 eng_class_setup_guide_1.2Freddy Ortiz
 

Ähnlich wie Sandbox Evasion Cheat Sheet (20)

Malware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual MachinesMalware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual Machines
 
Network Manual
Network ManualNetwork Manual
Network Manual
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Cache is King: Get the Most Bang for Your Buck From Ruby
Cache is King: Get the Most Bang for Your Buck From RubyCache is King: Get the Most Bang for Your Buck From Ruby
Cache is King: Get the Most Bang for Your Buck From Ruby
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
 
Synack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware PersistenceSynack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware Persistence
 
Dns configuration on rhel 5
Dns configuration on rhel 5Dns configuration on rhel 5
Dns configuration on rhel 5
 
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
 
Salt Cloud vmware-orchestration
Salt Cloud vmware-orchestrationSalt Cloud vmware-orchestration
Salt Cloud vmware-orchestration
 
Unix executable buffer overflow
Unix executable buffer overflowUnix executable buffer overflow
Unix executable buffer overflow
 
Web Insecurity And Browser Exploitation
Web Insecurity And Browser ExploitationWeb Insecurity And Browser Exploitation
Web Insecurity And Browser Exploitation
 
Long live to CMAN!
Long live to CMAN!Long live to CMAN!
Long live to CMAN!
 
Trouble shooting apachecloudstack
Trouble shooting apachecloudstackTrouble shooting apachecloudstack
Trouble shooting apachecloudstack
 
Component pack 6006 install guide
Component pack 6006 install guideComponent pack 6006 install guide
Component pack 6006 install guide
 
Zhp diag
Zhp diagZhp diag
Zhp diag
 
Meder Kydyraliev - Mining Mach Services within OS X Sandbox
Meder Kydyraliev - Mining Mach Services within OS X SandboxMeder Kydyraliev - Mining Mach Services within OS X Sandbox
Meder Kydyraliev - Mining Mach Services within OS X Sandbox
 
How to use shodan more powerful
How to use shodan more powerful How to use shodan more powerful
How to use shodan more powerful
 
Kl 031.30 eng_class_setup_guide_1.2
Kl 031.30 eng_class_setup_guide_1.2Kl 031.30 eng_class_setup_guide_1.2
Kl 031.30 eng_class_setup_guide_1.2
 
Build Automation 101
Build Automation 101Build Automation 101
Build Automation 101
 

Mehr von Thomas Roccia

TRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareTRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareThomas Roccia
 
CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVThomas Roccia
 
42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to RespondThomas Roccia
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedThomas Roccia
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion TechniquesThomas Roccia
 
Ransomware Teslacrypt Uncovered - Malware Analysis
Ransomware Teslacrypt Uncovered - Malware AnalysisRansomware Teslacrypt Uncovered - Malware Analysis
Ransomware Teslacrypt Uncovered - Malware AnalysisThomas Roccia
 
Research Paper on Digital Forensic
Research Paper on Digital ForensicResearch Paper on Digital Forensic
Research Paper on Digital ForensicThomas Roccia
 
Windows Kernel Debugging
Windows Kernel DebuggingWindows Kernel Debugging
Windows Kernel DebuggingThomas Roccia
 
Sec day cuckoo_workshop
Sec day cuckoo_workshopSec day cuckoo_workshop
Sec day cuckoo_workshopThomas Roccia
 

Mehr von Thomas Roccia (9)

TRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareTRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS Malware
 
CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLV
 
42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons Learned
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion Techniques
 
Ransomware Teslacrypt Uncovered - Malware Analysis
Ransomware Teslacrypt Uncovered - Malware AnalysisRansomware Teslacrypt Uncovered - Malware Analysis
Ransomware Teslacrypt Uncovered - Malware Analysis
 
Research Paper on Digital Forensic
Research Paper on Digital ForensicResearch Paper on Digital Forensic
Research Paper on Digital Forensic
 
Windows Kernel Debugging
Windows Kernel DebuggingWindows Kernel Debugging
Windows Kernel Debugging
 
Sec day cuckoo_workshop
Sec day cuckoo_workshopSec day cuckoo_workshop
Sec day cuckoo_workshop
 

Sandbox Evasion Cheat Sheet

  • 1. Sandbox Best Practices Cheat Sheet Unprotect [Project] – unprotect.tdgt.org Thomas Roccia | @fr0gger_ VMWARE Change the default MAC address. Default first 3 bytes of MAC address of VMware: 00:0C:29 00:1C:14 00:50:56 00:05:69 Change or remove the following registry keys: HKLMHARDWAREDEVICEMAPScsiScsi Port 0Scsi Bus 0Target Id 0Logical Unit Id 0“Identifier”;“VMWARE” HKLMSOFTWAREVMware, Inc.VMware Tools HKLMHARDWAREDescriptionSystem "SystemBiosVersion";"VMWARE" HKEY_LOCAL_MACHINESYSTEMControlSet001 ControlClass{4D36E968-E325-11CE-BFC1- 08002BE10318}0000DriverDesc“Vmware SCSI Controller” HKEY_LOCAL_MACHINESYSTEMControlSet001 ControlClass{4D36E968-E325-11CE-BFC1- 08002BE10318}0000ProviderName“VMware, Inc.” Check the name or remove the following processes: VMwareService.exe Vmwaretray.exe TPAutoConnSvc.exe Vmtoolsd.exe Vmwareuser.exe Check the name of default paths or files: system32driversvmmouse.sys system32driversvmhgfs.sys Program FilesVMware VIRTUALBOX Change the default MAC address. Default first 3 bytes of MAC address of VirtualBox: 08:00:27 Change or remove the following registry keys: HKLMHARDWAREDEVICEMAPScsiScsi Port 0Scsi Bus 0Target Id 0Logical Unit Id 0"Identifier";"VBOX" HKLMHARDWAREDescriptionSystem"SystemBiosVersion";VBOX HKLMSOFTWAREOracleVirtualBox Guest Additions HKLMHARDWAREDescriptionSystem"VideoBiosVersion"; "VIRTUALBOX" HKLMHARDWAREACPIDSDTVBOX__ HKLMHARDWAREACPIFADTVBOX__ HKLMHARDWAREACPIRSDTVBOX__ HKLMHARDWAREDescriptionSystem“SystemBiosDate"; "06/23/99" HKLMSYSTEMControlSet001ServicesVBoxGuest HKLMSYSTEMControlSet001ServicesVBoxService HKLMSYSTEMControlSet001ServicesVBoxMouse HKLMSYSTEMControlSet001ServicesVBoxVideo Check the name or remove the following processes: vboxservice.exe vboxtray.exe vboxcontrol.exe Check the name of default paths or files: C:WINDOWSsystem32driversVBoxMouse.sys C:WINDOWSsystem32driversVBoxGuest.sys C:WINDOWSsystem32driversVBoxSF.sys C:WINDOWSsystem32driversVBoxVideo.sys C:WINDOWSsystem32vboxdisp.dll C:WINDOWSsystem32vboxhook.dll C:WINDOWSsystem32vboxmrxnp.dll C:WINDOWSsystem32vboxogl.dll C:WINDOWSsystem32vboxoglarrayspu.dll C:WINDOWSsystem32vboxoglcrutil.dll C:WINDOWSsystem32vboxoglerrorspu.dll C:WINDOWSsystem32vboxoglfeedbackspu.dll C:WINDOWSsystem32vboxoglpackspu.dll C:WINDOWSsystem32vboxoglpassthroughspu.dll Program Filesoraclevirtualbox guest additions QEMU Change or remove the following registry keys: HKLMHARDWAREDEVICEMAPScsiScsi Port 0Scsi Bus 0Target Id 0Logical Unit Id 0"Identifier";"QEMU" HKLMHARDWAREDescriptionSystem "SystemBiosVersion";"QEMU" PARALLELS Check the name or remove the following processes: prl_cc.exe prl_tools.exe VIRTUAL PC Check the name or remove the following processes: VMSrvc.exe VMUSrvc.exe CUCKOO Check the name or remove the following processes: Python.exe Pythonw.exe Check the name of default paths or files: C:cuckoo .pipecuckoo XEN Check the name or remove the following processes: xenservice.exe
  • 2. WINE Change or remove the following registry key: HKLMSOFTWAREWine BOCHS Change or remove the following registry key: HKLMHARDWAREDescriptionSystem "SystemBiosVersion";"BOCHS" X86 INSTRUCTIONS The following Assembly instructions are used to detect Virtual Environment: SIDT SGDT SLDT SMSW STR CPUID IN VMCPUID RDTSC VPCEXT LOADED DLL Sandboxes are loaded DLL to perform actions on the system. Malware are able to detect these DLL. Check if the following DLL are loaded: sbiedll.dll (Sandboxie) api_log.dll (SunBelt SandBox) dir_watch.dll (SunBelt SandBox) pstorec.dll (SunBelt Sandbox) vmcheck.dll (Virtual PC) wpespy.dll (WPE Pro) GENERIC DETECTION Malware can detect a sandbox by different ways. The normal user activities should be reproducing to avoid detection. Reproduce or change the following elements to avoid detection: Mouse movement Office recent files Screen resolution Wallpaper Memory size Hard drive size Installed software Hostname USB drive Printer Number of processor MANUAL ANALYSIS Sandboxes can be used for automatic analysis but also for manual analysis. Rename the following analysis tools (NB: all the analysis tools can be detected by malware with the original process name): Wireshark.exe Ollydbg.exe ProcessHacker.exe TCPview.exe Autoruns.exe/Autorunsc.exe filemon.exe ProcMon.exe regmon.exe procexp.exe HookExplorer.exe SysInspector.exe PETools.exe DumpPcap.exe TIMING ATTACKS Malware can delay execution in order to avoid analysis or detection. Onset delay: Malware will delay execution to avoid analysis by the sandbox. Stalling code: Stalling code is typically executed before any malicious behaviour. Extended sleep code: Most of the sandbox have a defined time for the analysis. Malware will use a Sleep function with a big time to avoid analysis by the sandbox. TOOLS Different tools exist to harden a sandbox. Paranoid Fish: Pafish is a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do. https://github.com/a0rtega/pafish Al-Khaser: Al-khaser is a PoC malware with good intentions that aims to stress your sandbox system. https://github.com/LordNoteworthy/al- khaser RocProtect: RocProtect is a POC that emulates a sandbox environment to avoid infection by advanced malware. https://github.com/fr0gger/RocProtect-V1 Thomas Roccia | @fr0gger_ Version 1.1. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.