BLACK HAT ASIA – Singapore – Windows fibers, little-known components of the Windows operating system, represent a largely undocumented code execution route that exists exclusively in user mode and is therefore largely neglected by Endpoint detection and response (EDR) platforms. As such, it is possible for attackers to exploit them to stealthily land on PCs and deploy malicious payloads.
This is according to Daniel Jary, an independent security researcher, who presented two new proof-of-concept (PoC) attacks using fibers in a session at Black Hat Asia THURSDAY.
Fibers are an alternative to the standard “threads” that Windows uses to run operating system or application code, he explains.
“Threads are essentially like workers, within a Windows process or application, and traditionally they’ve always been the way that you run code and get things done,” he explains to Dark Reading. “But there is a more specialized way to do it, through fibers.”
Fibers: a forgotten and neglected path of the Windows operating system
Fibers, when used, exist in yarns: they are essentially smaller, lighter versions of the larger yarn concept. The fibers were initially developed at a time when processors had fewer cores and could only accommodate a limited number of threads. At a high level, smaller ones were a way to expand capacity, allowing developers to split workloads within a single thread and make processes more efficient.
“But as computers have become more powerful, with more memory to play with, fibers have become somewhat redundant in the vast majority of scenarios,” says Jary. “That’s why a lot of people haven’t really heard of them and they’re a little obscure, but they serve several purposes for some old legacy applications and allow you to port programs from other operating systems to Windows. And some Windows processes themselves still use fiber.
Thus, fibers enjoy the dubious honor of being both an essential feature of Windows and one neglected by security teams. For starters, Jary notes that the traditional detection mechanisms of EDR platforms and antivirus engines tend to ignore them, making them an ideal stealth way to execute malicious code.
“Threads are heavily monitored by EDR agents, which examine system calls and kernel mode callbacks to capture telemetry and send it to a rules engine to generate detection,” explains Jary. “But fibers only exist in user mode and don’t appear in the kernel’s collection, so their telemetry isn’t actually recorded by EDRs.”
Some open source techniques already exist to take advantage of the little-known status of fibers. A 2022 PoC, for example, details a method for hide malicious shellcode in a fiberthus avoiding the majority of AV motors.
Others have created methods to hiding the call stack, which allows attackers to hide a malicious execution path within a thread (in this case, a fiber) behind another, dormant, harmless fiber that also evades detection. The technique takes advantage of the fact that if fibers are used, there is always an active fiber and then a dormant fiber with which it turns off. This cloaking ability was added to the Cobalt Strike artifact kit in 2022.
New Frontiers in Malicious Fiber Execution
Jary set out to explore whether it was possible to improve on existing malicious fiber techniques and proposed two new PoCs, dubbed Phantom Thread and Poison Fiber.
Existing fiber adversarial methods have some drawbacks for attackers: some indicators can still be used for EDR detection, and the maliciousness is not hidden in the online event-based collection of call stacks. Any collection of dormant fibers, for which several techniques exist, would remove call stack hiding.
Phantom Thread is a next-generation call stack hiding approach that removes the ability of memory scans to target fibers by passing them off as threads. This involves creating a fiber and then patching it so that it identifies as a thread. It then becomes possible to remove all fiber call stack indicators and completely hide the fibers from any analysis.
The second PoC, Poison Fiber, enumerates all running Windows processes, examines the threads in use, and determines if any of those threads are using fiber. Then, “it gives you the ability to inject your payload or shellcode into a dormant fiber,” Jary explains.
“You can only run one fiber per thread at a time, which means you always have another dormant fiber parked elsewhere on the stack,” he explains. “When we run our code using Poison Fiber, it injects our code into a dormant fiber, so we don’t need to suspend the thread to inject the shellcode, which is a huge indicator of malicious activity. And because we have “We injected the payload into a dormant fiber, then the application triggers the execution for us, and we don’t initiate the execution ourselves. The technique also has the advantage of enabling.” Remote Code Execution (RCE).
Wake up to the contradictory potential of fiber
While still somewhat obscure, fibers should be on security teams’ list of attack vectors, warns Jary, who has yet to publicly release his evolved PoCs or granular details about the methods. He believes it’s only a matter of time before others find ways to overcome the drawbacks of existing open source fiber delivery methods.
“Fiber’s alternative execution method is valuable to attackers because it helps us bypass the traditional telemetry sources we get with threads, particularly kernel callbacks,” he explains. “Fiber is not a privilege escalation tactic or a user access control (UAC) bypass. But they enable payload delivery that attracts far less attention from the security community. The fibers are really simple to use. , but they are harder to detect, making them perfect for any kiddy script to use to attack businesses.
Jary advises implementing mature EDR products which can be continually tested against emerging techniques like these.
“Talk to your red teams about open source fiber methods used in the wild,” he says. “Do some research to see what attackers like, what’s popular in the wild, and then feed that back to your research team and your EDR product developers. This will help build better defenses and will likely make the lives of your Threat Hunters a little more difficult. a little easier too.”