pastenow
pastenow

On Detection: Tactical to Functional

<h1>Introduction</h1> <p>In my&nbsp;<a href="https://posts.specterops.io/understanding-the-function-call-stack-f08b5341efa4" rel="noopener ugc nofollow" target="_blank">Understanding the Function Call Stack</a>&nbsp;post, I introduced the nesting nature of Windows API functions. There is almost always a superficial/documented version of the API that then goes through a series of calls to deeper, more fundamental functions that are less likely to be documented but still able to be called directly by applications. I then explained that malware developers could use the knowledge of this nesting to call the less expected/documented version of a function to evade some sensors making their actions &ldquo;invisible.&rdquo; In that post, we explored&nbsp;<a href="https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilew" rel="noopener ugc nofollow" target="_blank">CreateFileW</a>&nbsp;specifically and dug into it, but what we didn&rsquo;t explain was the process for how we might identify which function we should be interested in.</p> <p>This post will introduce one process, source code review, for determining which function(s) are used by a given malware sample. For this demonstration and the next couple of posts in this series, we will use everyone&rsquo;s favorite tool&nbsp;<a href="https://github.com/gentilkiwi/mimikatz" rel="noopener ugc nofollow" target="_blank">Mimikatz</a>&nbsp;and explore exactly which API functions it relies on to perform its most popular&nbsp;<a href="https://github.com/gentilkiwi/mimikatz#sekurlsa" rel="noopener ugc nofollow" target="_blank">command</a>,&nbsp;<code>sekurlsa::logonPasswords</code>. Remember that a tool is often just functioning as an even more superficial wrapper on top of a series of API functions doing the hard work. This is a fundamental concept that is described in my&nbsp;<a href="https://posts.specterops.io/capability-abstraction-fbeaeeb26384" rel="noopener ugc nofollow" target="_blank">Capability Abstraction post</a>. Here we will work through analyzing Mimikatz&rsquo;s source code to understand which function(s) it calls, and then we can leverage the process demonstrated in my previous post to see how those functions nest underneath.</p> <p><a href="https://posts.specterops.io/on-detection-tactical-to-functional-d71da6505720"><strong>Visit Now</strong></a></p>
Tags: Tactical Functional