John U
John U
Added more information on how to detect via the new events on patched systems.
Fixed yamllint errors. :-)
iirc MSDN doesn't document those events. You can dynamically retrieve the property information using the [TDH ETW APIs](https://docs.microsoft.com/en-us/windows/win32/etw/retrieving-event-metadata) though. Or just use a tool like [EtwExplorer](https://github.com/zodiacon/EtwExplorer) which gives you this...
Ah. Probably not. According to [Geoff Chappell](https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/etw/tracesup/perfinfo_groupmask.htm) EVENT_TRACE_FLAG_VAMAP was added in Windows 8.
That's strange. Unfortunately that seems to be a Windows issue. The raw data is available though, so you could attempt to manually parse it. Something like this - ``` if...
CreateThread = `event.code: shellcode_thread and Memory_protection.self_injection:true` StartAddress = `Target.process.thread.Ext.start_address` Parameter = `Target.process.thread.Ext.parameter` ThreadId = `Target.process.thread.id` Here's a sample event - ``` { "@timestamp": "2023-04-21T08:20:56.0268971Z", "Memory_protection": { "cross_session": false, "feature": "shellcode_thread",...
Noted. Though perhaps the current category should be updated to `Thread Creation` now? Sysmon would then have an 🟧 and each other vendor could be updated as appropriate?
The [sysmon documentation](https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-8-createremotethread) indicates that its Event ID 8 is Remote Thread Creation only - not Thread Creation more generally.
Done. Are we confident that Crowdstrike/LimaCharlie/MDE/S1/WatchGuard all monitor local thread creations?
The simplest test would be to see if telemetry is generated for a local unbacked thread. C++ snippet - ``` const char shellcode[] = { // return(42) 0xb8, 0x2a, 0x00,...