ITSEC Newsletter 2024-10-24

Call stack spoofing isn’t a new technique, but it has become more popular in the last few years. Call stacks are a telemetry source for EDR software that can be used to determine if a process made suspicious actions (requesting a handle to the lsass process, writing suspicious code to a newly allocated area, and so on). The purpose of the technique is to construct a fake call stack that mimics a legitimate call stack in order to hide suspicious activity that might be detected by EDR or other security software.

Dotnet unamanged-api is not a stranger to Offssec tool developers, it enables developers to tinker with managed processes and the CLR itself from within a native process(say c/c++). You can see the whole list of supported interfaces listed categorically here. Frequently I go through each category in the list, in the hope of finding any interesting methods exposed by COM interfaces which can be abused, especially those Hosting and debugging interfaces.

In this blog post, we will conduct an in-depth analysis of the patching technique used by the bedevil rootkit, exploring how it works and the advantages that dynamic linker patching offers to attackers.