About CrimsonEDR:
CrimsonEDR is a powerful open-source project designed to help researchers identify specific malware patterns to optimize endpoint detection and response (EDR) strategies. By using a variety of different detection schemes, developers and researchers can deepen their understanding of security evasion strategies.
Function introduction
detect | description |
Direct system calls | Detect the use of direct system calls, which malware often uses to bypass traditional API hooks. |
NTDLL unhooks | Identifying hooks that attempt to unblock functions in NTDLL libraries is a common circumvention technique. |
AMSI patches | Detect modifications to the Anti-Malware Scanning Interface (AMSI) with byte-level analysis. |
ETW 补丁 | Detect byte-level changes in Windows Event Tracking (ETW), which are often manipulated by malware to evade detection. |
PE Stomping | Identify PE (Portable Executable) Stomping instance. |
Reflective PE loading | Detects reflective loading of PE files, a technique used by malware to avoid static analysis. |
The thread source is not backed up | Identify threads originating from unsupported areas of memory, which is often indicative of malicious activity. |
The thread start address is not backed up | Detect a thread with a starting address pointing to a thread that doesn't back up memory, which is a potential sign of code injection. |
API hooks | Place a hook on the NtWriteVirtualMemory function to monitor memory modifications. |
Custom pattern search | Allows users to search for specific patterns available in JSON files, helping to identify known malware signatures. |
Tool installation
First, we need to install the dependencies required by the tool with the following command:
sudo apt-get install gcc-mingw-w64-x86-64
Next, researchers can directly use the following command to clone the source code of the project to the local computer:
git clone https://github.com/Helixo32/CrimsonEDR
Then switch to the project directory and use the following command to complete the code editing:
cd CrimsonEDR;
chmod +x compile.sh;
./compile.sh
Tool use
Make sure that the ioc.json file is in the startup directory of the executable file you are monitoring. For example, if the executable you want to monitor is located in C:\Users\admin\, the DLL will try to find ioc.json in the C:\Users\admin\ioc.json path. The current version of the ioc.json contains the patterns related to msfvenom, which we can modify according to our needs, in the following format:
{
"IOC": [
["0x03", "0x4c", "0x24", "0x08", "0x45", "0x39", "0xd1", "0x75"],
["0xf1", "0x4c", "0x03", "0x4c", "0x24", "0x08", "0x45", "0x39"],
["0x58", "0x44", "0x8b", "0x40", "0x24", "0x49", "0x01", "0xd0"],
["0x66", "0x41", "0x8b", "0x0c", "0x48", "0x44", "0x8b", "0x40"],
["0x8b", "0x0c", "0x48", "0x44", "0x8b", "0x40", "0x1c", "0x49"],
["0x01", "0xc1", "0x38", "0xe0", "0x75", "0xf1", "0x4c", "0x03"],
["0x24", "0x49", "0x01", "0xd0", "0x66", "0x41", "0x8b", "0x0c"],
["0xe8", "0xcc", "0x00", "0x00", "0x00", "0x41", "0x51", "0x41"]
]
}
The CrimsonEDRPanel.exe is then executed with the following parameters:
-d <path_to_dll>:指定CrimsonEDR.dll文件的路径;
-p <process_id>:指定需要注入DLL的目标进程PID;
Run the command for example:
.\CrimsonEDRPanel.exe -d C:\Temp\CrimsonEDR.dll -p 1234
Precautions
Windows Defender and other antivirus programs may mark the DLL as malicious because it contains content that verifies that AMSI contains patch bytes. So, when using CrimsonEDR, make sure to whitelist the DLL or temporarily disable the antivirus software to avoid any interruptions.
Demo of tool usage
Project address
CrimsonEDR:https://github.com/Helixo32/CrimsonEDR
Resources
https://maldevacademy.com/