Is this still working ?

[pussinboots1992]

The service is running and in process explorer I can see it is marked as PsProtectedSignerAntimalware-Light but nothing is in C:\Windows\Temp\TiEtwAgent.txt, the file doesn't even exist.

Is everything logged, I triggered a Meterpreter payload on the machine hoping that would force event generations and have the logfile created. It didn't work. Any debug logs ? dbgview or other ?

Here is the output I am getting:

C:\Users\pussinboots\Desktop>TiEtwAgent.exe install
TiEtwSensor: Installing the Early Launch Anti-Malware drivers
TiEtwSensor: Opening driver file: elam_driver.sys
TiEtwSensor: ELAM driver has been installed successfully
TiEtwSensor: Installing the agent service
TiEtwSensor: Service 'TiEtwAgent' already exists

C:\Users\pussinboots\Desktop>TiEtwAgent.exe uninstall
TiEtwSensor: Uninstalling the service
TiEtwSensor: ControlService(Stop) Error: 5

It appears I can not remove it anymore. Does a process need to be PPL to uninstall it ?

Awesome project though ! Thanks so much for sharing !!

[xuanxuan0]

Hi @pussinboots1992 thanks for checking it out :), if the process is running on your endpoint its most likely all setup correctly, but lets take it step by step.
Have you tried using the "migrate" command to inject Meterpreter into another process which would cause a remote memory allocation? Just running the payload will not cause a detection as there is currently no detection use case implemented for local memory operations (ie within the same process).

[pussinboots1992]

It works, sorry I should have read the code before trying it :-)

**�[7;31mANOMALOUS MEMORY ALLOCATION DETECTED�[0m 

[+] Source:       C:\Users\pussinboots\source\repos\sc_runner\x64\Debug\sc_runner.exe (PID: 7308)
[+] Target:       C:\Windows\System32\smartscreen.exe (PID: 9236)
[+] Protection:   0x40
[+] Allocation:   0x3000
[+] Region size:  201563
[+] Base address: 0x1fd1c5b0000
[+] MZ-header:    �[33mNO�[0m

[+] Memory at location: 

.H..H... ..H........AQAPRQVH1.eH
.R`H.R.H.R H..JJM1.H.rPH1..<a|.,
 A...A....RH.R .B<H..AQf.x.....r
.........H..tgH...H.PD.@ I...VM1
.H..A.4.H..H1.A....A..8.u.L.L$.E
9.u.XD.@[email protected].
.AX^YZAXAYAZH.. AR..XAYZH...K...
]H..A...&5...V.\.........[.....M
ZARUH..H.. H........[H...Z....H.
.\...H.;I..j.Z..................
.......!..L.!This program cannot
 be run in DOS mode....$........
|4?..Zl..Zl..Zl.L.l..Zl.L.l..Zl.
L.l..Zl.e.l..Zl.e.l..Zl..[l..Zl.
O.l..Zl.O.l..Zl.O.l..ZlRich..Zl.
...............PE..d......`.....**

When you say there is no use-case for memory operations within the same process, you mean that no local memory allocations will create an event, or you mean that your solution doesn't use events for local memory allocations ?

It would be cool to simply log all the events to the event viewer a bit like Sysmon, so that the events can be shipped to a SIEM such as Splunk or ELK to create custom use-cases !

Thanks again for this awesome project !

[xuanxuan0]

No worries, happy to help.

Local memory allocations create TiEtw events but these are filtered by default, so if you'd like to collect these you need to setup Any/All keyword bitmasks. But I think if your use case is to simply log TiEtw and forward it to a SIEM you might want to check out Sealighter or SilkETW.

Unfortunately, if you are not a security vendor with a proper signing certificate it won't be very useful in a prod environment as all your endpoints would have to be running in the testsigning mode.

[pussinboots1992]

No worries, happy to help.

Local memory allocations create TiEtw events but these are filtered by default, so if you'd like to collect these you need to setup Any/All keyword bitmasks. But I think if your use case is to simply log TiEtw and forward it to a SIEM you might want to check out Sealighter or SilkETW.

Unfortunately, if you are not a security vendor with a proper signing certificate it won't be very useful in a prod environment as all your endpoints would have to be running in the testsigning mode.

One more question, how did you debug the service to test the detection logic ? I guess you cannot attach a debugger to it since it is PPL. The only option is the perform Kernel debugging ?

[xuanxuan0]

@pussinboots1992 you can use dbgview. if you need additional debug output at any point in execution you can add calls to the log_debug() helper function, or output a debug string directly.

I did not use any other techniques due to PPL so I'm not sure what works tbh