Writing exploits is a complex task that requires some experience to build a reliable proof of concept (POC). Most of the time, exploit developers rely on certain habits to fingerprint the operating system, elevate privileges, or exploit primitives.
Being able to identify exploit developer habits can be very useful in identifying a variant of an exploit or an additional POC. This presentation will focus on studying a local privilege escalation (LPE) on the Windows operating system and how we can dissect it to identify artifacts that can be used to hunt for similar code in the wild.
Through the presentation, we will detail some of the exploit mechanisms and see how to build reliable hunting rules. The audience will learn more about exploit techniques and how to identify the parts of the code that may be relevant to analyse for threat hunting.
Code graphology definition
Case study on an LPE: CVE-2021-1732
Extracting relevant artifacts
Creating a hunting Yara rule
Particularly useful in exploit hunting as exploit writers tend to use
similar mechanisms throughout multiple exploits.
First discussed by CheckPoint researchers in 2020 at VirusBulletin,
@megabeets_ and @EyalItkin.
CVE-2021-1732 is a Local Privilege Escalation (LPE) exploit
on Windows 10.
This exploit has been reported by Dbapp Security in February
2021 and allegedly used by the Bitter APT.
This kernel exploit is a Win32k window object type confusion
leading to an OOB write (out-of-bounds).
Another uniq string part of the binary:
Kaspersky process fingerprinted at the
Strings to create the class and the window:
IsWOW64Process function to check if it is a
64-bit or 32-bit version.
Common mechanism in exploit development
to correctly setup the exploitation.
The running version must be larger than
0x3FE1 and 0x471C (Windows10 build 16353
and Windows 10 build 18204) to continue
Many exploits are using a kernel leak primitive that utilizes the known technique
HMValidateHandle to get a kernel memory address.
The online documentation refers to this technique as leveraging the function IsMenu and
then parsing it to find the HMValidateHandle function.
In most LPE, the exploit will swap the
token of the current process to elevate
At the end of the exploitation this is
exactly the case for our sample.
2020-05-05 05:10:29 UTC
Version x64 Bit
2020-07-10 06:30:28 UTC
First Sample Second Sample
To exploit vulnerability attackers relies on known techniques.
Identifying those techniques and studying the structure of the
exploit may help to build a relevant hunting or detection rule.
In this presentation, we uncovered an unknown new sample
that uses the same strings convention as the original one.