feat(evasion): Evasion scanner

This changeset establishes the architecture for the
evasion scanner. Evasion scanner piggybacks on top
of different evasion detectors such as direct syscall
(being the first evasion behaviour implemented).
When the evasion behaviour is detected, the event is
decorated with such evasion in its metadata.

Author: rabbitstack

.github/PULL_REQUEST_TEMPLATE.md

@@ -68,6 +68,8 @@
 
 > /area deps
 
+> /area evasion
+
 > /area other
 
 

.github/workflows/pr.yml

@@ -151,6 +151,10 @@ jobs:
         run: |
           cd yara
           make install
+      - name: Setup test fixtures
+        run: |
+          choco install -y go-task
+          task --taskfile internal/etw/_fixtures/Taskfile.yml all
       - name: Test
         shell: bash
         run: |

configs/fibratus.yml

@@ -156,6 +156,22 @@ handle:
   # Indicates if process handles are collected during startup or when a new process is spawn.
   enumerate-handles: false
 
+# =============================== Evasion ====================================================
+
+# Tweaks for controlling evasion scanner behaviours. Evasion behaviours can represent strong
+# IoC (Indicators of Compromise) such as direct syscall or require a combination of fine-tune
+# exceptions to reduce the alert fatigue.
+evasion:
+# Indicates if evasion detections are enabled global-wise. If disabled, evasion scanner will
+# not try to classify ad-hoc evasion techniques.
+#enabled: true
+
+# Indicates if direct syscall evasion detection is enabled. A direct syscall bypasses Windows
+# API functions and calls the underlying system call directly using the syscall instruction,
+# skipping the NTDLL stub that normally performs the transition to kernel mode.
+#enable-direct-syscall: true
+
+
 # =============================== Event ===============================================
 
 # The following settings control the state of the event.

internal/bootstrap/bootstrap.go

@@ -21,6 +21,7 @@ package bootstrap
 import (
 	"context"
 	"errors"
+	"github.com/rabbitstack/fibratus/internal/evasion"
 	"github.com/rabbitstack/fibratus/pkg/aggregator"
 	"github.com/rabbitstack/fibratus/pkg/alertsender"
 	"github.com/rabbitstack/fibratus/pkg/api"
@@ -138,7 +139,7 @@ func NewApp(cfg *config.Config, options ...Option) (*App, error) {
 	var engine *rules.Engine
 	var rs *config.RulesCompileResult
 
-	if cfg.Filters.Rules.Enabled && !cfg.ForwardMode && !cfg.IsCaptureSet() {
+	if cfg.Filters.Rules.Enabled && !cfg.ForwardMode && !cfg.IsCaptureSet() && !cfg.IsFilamentSet() {
 		engine = rules.NewEngine(psnap, cfg)
 		var err error
 		rs, err = engine.Compile()
@@ -203,9 +204,8 @@ func (f *App) Run(args []string) error {
 	// In case of a regular run, we additionally set up the aggregator.
 	// The aggregator will grab the events from the queue, assemble them
 	// into batches and hand over to output sinks.
-	filamentName := cfg.Filament.Name
-	if filamentName != "" {
-		f.filament, err = filament.New(filamentName, f.psnap, f.hsnap, cfg)
+	if cfg.IsFilamentSet() {
+		f.filament, err = filament.New(cfg.Filament.Name, f.psnap, f.hsnap, cfg)
 		if err != nil {
 			return err
 		}
@@ -234,6 +234,10 @@ func (f *App) Run(args []string) error {
 			f.symbolizer = symbolize.NewSymbolizer(symbolize.NewDebugHelpResolver(cfg), f.psnap, cfg, false)
 			f.evs.RegisterEventListener(f.symbolizer)
 		}
+		// register evasion scanner
+		if cfg.Evasion.Enabled {
+			f.evs.RegisterEventListener(evasion.NewScanner(cfg.Evasion))
+		}
 		// register rule engine
 		if f.engine != nil {
 			f.evs.RegisterEventListener(f.engine)
@@ -314,9 +318,9 @@ func (f *App) ReadCapture(ctx context.Context, args []string) error {
 	if err != nil {
 		return err
 	}
-	filamentName := f.config.Filament.Name
-	if filamentName != "" {
-		f.filament, err = filament.New(filamentName, f.psnap, f.hsnap, f.config)
+
+	if f.config.IsFilamentSet() {
+		f.filament, err = filament.New(f.config.Filament.Name, f.psnap, f.hsnap, f.config)
 		if err != nil {
 			return err
 		}
@@ -355,6 +359,7 @@ func (f *App) ReadCapture(ctx context.Context, args []string) error {
 			return err
 		}
 	}
+
 	return api.StartServer(f.config)
 }
 

internal/etw/_fixtures/Taskfile.yml

@@ -0,0 +1,20 @@
+version: '3'
+
+vars:
+  SYSWHISPERS3_REPO: https://github.com/klezVirus/SysWhispers3.git
+  VISUAL_STUDIO_EDITION: Enterprise
+  VISUAL_STUDIO_VERSION: 2022
+
+tasks:
+  direct-syscall:
+    desc: Builds the binary to perform direct syscalls via Syswhispers generated stubs
+    dir: direct-syscall
+    cmds:
+      - git clone {{ .SYSWHISPERS3_REPO }}
+      - python SysWhispers3/syswhispers.py -a x64 -c msvc -p common -o syscalls
+      - cmd.exe /c 'C:\"Program Files"\"Microsoft Visual Studio"\{{ .VISUAL_STUDIO_VERSION }}\{{ .VISUAL_STUDIO_EDITION }}\VC\Auxiliary\Build\vcvars64.bat && nmake -f Makefile.msvc'
+    silent: true
+
+  all:
+    deps:
+      - direct-syscall

internal/etw/_fixtures/direct-syscall/Makefile.msvc

@@ -0,0 +1,7 @@
+OPTIONS = -Zp8 -c -nologo -Gy -Os -O1 -GR- -EHa -Oi -GS-
+LIBS = libvcruntime.lib libcmt.lib ucrt.lib kernel32.lib
+
+main:
+  ML64 /c syscalls-asm.x64.asm /link /NODEFAULTLIB /RELEASE /MACHINE:X64
+  cl.exe $(OPTIONS) syscalls.c main.c
+  link.exe /OUT:direct-syscall.exe -nologo $(LIBS) /MACHINE:X64 -subsystem:console -nodefaultlib syscalls-asm.x64.obj syscalls.obj main.obj

internal/etw/_fixtures/direct-syscall/direct-syscall.exe

@@ -0,0 +1,9 @@
+#include "syscalls.h"
+
+#include <Windows.h>
+
+int main(int argc, char* argv[])
+{
+    Sw3NtSetContextThread(-1, NULL);
+    return 0;
+}