grizzly/deneir
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

just keep writing

Browse source
This commit is contained in:
Arthur 2024-11-23 00:51:27 +01:00
parent e3c313e93c
commit f305cb206b
2 changed files with 26 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

14
procver/ACNS/acronyms.tex Normal file
View file

@ -0,0 +1,14 @@
\DeclareAcronym{ids}{
short={IDS},
long={Intrusion Detection System}
}
\DeclareAcronym{hids}{
short={HIDS},
long={Host-Based Intrusion Detection System}
}
\DeclareAcronym{os}{
short={OS},
long={Operating System}
}

16
procver/ACNS/main.tex
View file

@ -9,6 +9,9 @@
\usepackage{xcolor} \usepackage{xcolor}
\usepackage{amsfonts} \usepackage{amsfonts}
\usepackage{amssymb} \usepackage{amssymb}
\usepackage{acro}
\input{acronyms}
% Used for displaying a sample figure. If possible, figure files should % Used for displaying a sample figure. If possible, figure files should
% be included in EPS format. % be included in EPS format.
@ -85,7 +88,7 @@ Another compleing capability is the ... \agd{find another evasion technic}
This study focuses on another specific evasion domain, process hiding. This study focuses on another specific evasion domain, process hiding.
The list of running processes is an obvious compeling ressource to start detectin malware. The list of running processes is an obvious compeling ressource to start detectin malware.
To detect running malware, one could simply gather the list of all running software and search for known malware. To detect running malware, one could simply gather the list of all running software and search for known malware.
With the list of processes frequently collected, an HIDS \agd{replace acronym} can detect known malware, mine rules, define an activity profile, or detect anomalous situations \agd{}. With the list of processes frequently collected, an \ac{hids} \agd{replace acronym} can detect known malware, mine rules, define an activity profile, or detect anomalous situations.
Staying off the process list is good first step for any malware aiming for stealth. Staying off the process list is good first step for any malware aiming for stealth.
We can categorize the technics achieving this type of evasion between hiding and masquerading. We can categorize the technics achieving this type of evasion between hiding and masquerading.
@ -94,13 +97,18 @@ For process masquerading, the aim is not so much to avoid the listing but to avo
A process masquerading an another will assume its process name and characteristics, with the goal of appearing legitimate on the machine. A process masquerading an another will assume its process name and characteristics, with the goal of appearing legitimate on the machine.
Process hiding and masquerading differ in their ultimate goal but leverage a lot of the same technics. Process hiding and masquerading differ in their ultimate goal but leverage a lot of the same technics.
The core idea of process list manipulation is tampering with the process listing mechanism provided by the OS to the monitoring software. The core idea of process list manipulation is tampering with the process listing mechanism provided by the OS to the monitoring software.
Independently of the OS, attackers often rely on intercepting system's call to remove or replace information or directly manipulating kernel objects. Independently of the \ac{os}, attackers often rely on intercepting system's call to remove or replace information or directly manipulating kernel objects.
For the purpose of this study, we do not differentiate between Unix-based OSs and Windows systems as process hiding is a common practice for malware in both environments. For the purpose of this study, we do not differentiate between Unix-based OSs and Windows systems as process hiding is a common practice for malware in both environments.
% there are detection methods but they are all host-based and dommed to be bypassed
Of course, many methods have been proposed and implemented to detect or counter process list tampering.
These methods --- although they leverage different mechanisms --- are all host-based.
This create a circular dependency where the \ac{ids} rely on the host system to provide the very information leveraged to assess its integrity.
As rootkis providing process hiding remained a threat since their introduction, it is safe to assume that current countermesures --- and future ones based on similar technics --- do not provide adequate protection.
% is it a bird? is it a plane? No its the good old power consumption!
% Thank you king of sweden. No it was nothing you are welcome. Ok get home safe now. Byeeee.