Summary
In December 2022 we assisted with an incident response investigation where the threat actor was successful in stealthily impairing an EDR agent with malware called “CS-Paralyzer”. In this incident, CrowdStrike was the target EDR and the attack disabled the EDR sensor’s ability to generate alerts but allowed telemetry back to the console. The attack we observed focused on CrowdStrike, but the concept could extend to other EDR platforms as noted by CrowdStrike in their blog post that covers their analysis of this threat actor.
It is also important to note that the threat actor first needed to have access to the given endpoint, but once executed, the malware rendered the EDR ineffective. This is not an initial access threat as much as a persistence, privilege escalation and lateral movement risk.
Detailed Assessment
The primary exploit is a Windows kernel-mode driver that, upon being loaded into memory, modified components of the CrowdStrike csagent.sys driver. The module is specific to the version of the CrowdStrike sensor being used and will bluescreen the system if executed with another sensor version running. The IOCs below are specific are for version 6.45.15908. SRA does not currently have any other versions available. The file is signed with the stolen NVIDIA certificates released by LAPSU$, thumbprint ce566e0c55909bbf2bb0d43280ee78b4ba3d582f. Although signed, these certificates have been revoked, so the module cannot directly be loaded into memory on modern Windows systems with driver signature protections. In order to load the module without placing the system in test mode, another exploit (see below) is used to bypass the signing protection.
CS-PARALYZER.sys MD5: 58302A229C5A3372A9DBED9D3A7C3A69 SHA-1: CC5738CFCAFC70AB7AA60B463D3948F1A8028551 SHA-256: CD816D73FE439AB8C50D442FF33302BA59AE291DE2FB2952E69E4861FFE128F5
This Windows executable uses a known exploit against the signed Intel iqvw64e.sys driver to load other, unsigned drivers into memory. A POC of the code can be found here: https://github.com/noahbelsito/inteloops. This is used to load the CS-PARALYZER.sys module into memory. It must be run as an administrator, and takes a single command-line argument consisting of the name of the module to load, e.g. “hi.exe CS-PARALYZER.sys”.
hi.exe MD5: C7FA8EDA1A57B3DBC07CA93DE81D3E6B SHA-1: 512C7CBFB462A67A6C0E540BF796AB53EEF408DB SHA-256: 4B8D3D6E379D70CCDC7AFEFB5DA7EEE7583F6F1405C98C8A452FB17490F4BA7C
This is a testing module found alongside the other artifacts.
HelloWorld.sys MD5: 1E05F3934C682547949993C420DC9116 SHA-1: 0778B7A418EA0BD9A7E53A48145029F8FBC5D38F SHA-256: 6B0C82FF3F0F0E2B22CDDCB0D7AA7E75DAA03A64BAF358D00A071E89F3E85643
Official, Microsoft Signed Binaries
The following are legitimate signed Microsoft binaries found alongside the above artifacts. They appear to be dependencies for the usermode/executable component, which may have hardcoded search paths or version numbers.
DO NOT WRITE DETECTIONS BASED ON THE PRESENCE OF THESE FILES ALONE, THEY WILL BE PRESENT ON ANY LEGITIMATE WINDOWS INSTALLATION.
concrt140d.dll MD5: B6C85D6037CDB62ED50BBBF84D83263A SHA-1: 08484C7943B48CBD90C7FB69BEC543EC70BA2ABF SHA-256: 269D7880CF08F778601BC39815E7E4ADC2FD1163FE36FE8AE900B8558B5A4332 msvcp140d.dll MD5: E52828D6280060A3F8B43FBD9704557F SHA-1: 48718210B21C4AC684238A489B6BDA6F0027A3FD SHA-256: C099E5BFB4C07A30C8925ECE47C22FA53F5BBF50E2624FCD9EF50333DDA6924A msvcp140d_atomic_wait.dll MD5: 4ED22F3A7D8805F409123E3459D2B54F SHA-1: FF24AB2F07C1F3B7F52AFEC1A836C2EF6616CB1A SHA-256: 70A2B357B39E43D4F7941397974F5BE5A992CF59D69DE3E2E6896837CEA61FE0 msvcp140d_codecvt_ids.dll MD5: 3B862F9AA0BDDD132A7CD4852AD3BBEF SHA-1: 7D7C12972A74498B7A7CC3EA823B03E072714E57 SHA-256: DAB59871DAECE0B5AD8B06E7F441E2F83EC3662231AFC27C1AC8E706C0BD404F msvcp140_1d.dll MD5: 0A5034E247A0AE8146F8D66718274C6A SHA-1: E278B95595E86A84B9089878DEEB19F5389F6911 SHA-256: 5409695C60C5A34874FF7505227A832D91D7A6A0C97D5B926E75A65F5F64CFE1 msvcp140_2d.dll MD5: 9939AE4C7355373B9219D6FD6F7D8B84 SHA-1: 9A3D7A460093CEFC3CFD2E3644DA0B015D27CB23 SHA-256: D30C50434CC6243D17E654C63CCC5BAF9BC1DF7F87FFBCF14B27B8BF3CAE91F7 ucrtbased.dll MD5: FFC3B14A9C1280517429E805ED9625B2 SHA-1: D54A864A4061F2AE286AE6C77790D4CFB9344BB0 SHA-256: 474884886266E2CC01C8025751A153670749247F327AFD8AE1FCA99E273E57F8 vccorlib140d.dll MD5: 25BA0BD7C434C0AA31835B10139024CE SHA-1: 80D0F7496A439940D3AF06C18A0C30F51080BC1A SHA-256: D2643A240700F0A9CDDDF4BE1BE24174F307676561960A04B3236E0F7AEC403E vcruntime140d.dll MD5: 818F6CC6C15193F47BCBEA6BE40249EB SHA-1: F86219279DE40C1F570BD57F7F85482223872924 SHA-256: 9C24F0316E9513F5303566FE5358427DD90A594C8AF6E3A97524FF55F90B37DF vcruntime140_1d.dll MD5: 47C6D20B6B6810FED24F9CEBCE6028BC SHA-1: AAB843286C009923902CD9B29BAF2BEAE9FC182F SHA-256: 1B92F128A643D48F7CC5454BECACEBAD5D887427530E651C3D48324FF0839B3C
Custom Detection Methodology
These need to be implemented as scheduled searches in CrowdStrike. CrowdStrike IOAs do not currently support all of the specifiers needed to implement. The first query listed is the “all-in-one” and includes the following three query to cut down on the number of searches that need to be run. All three queries look for the Intel exploit needed to load CS-PARALYZER into memory. THEY DO NOT DETECT CS-PARALYSER ITSELF.
Three Detections in One
(index=main source=main TERM(AppData) TERM(Local) TERM(Temp)) AND ((TERM(iQVW64) OriginalFilename=iQVW64.SYS AND ((event_simpleName=PeFileWritten TERM(PeFileWritten) FilePath=*\\AppData\\Local\\Temp\\) OR (event_simpleName=DriverLoad TERM(DriverLoad) TERM(ce566e0c55909bbf2bb0d43280ee78b4ba3d582f) CertificateThumbprint=ce566e0c55909bbf2bb0d43280ee78b4ba3d582f FilePath=*\\AppData\\Local\\Temp\\))) OR (event_simpleName=AsepValueUpdate TERM(AsepValueUpdate) TERM(ImagePath) TERM(ControlSet001) TERM(Services) RegValueName=ImagePath RegObjectName=\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\* RegStringValue=*\\AppData\\Local\\Temp\\* RegStringValue!=*\\AppData\\Local\\Temp\\*.*))
PE File Written
This query looks for the intel iqvw64.sys being written to a temporary location as part of the injection process.
index=main source=main sourcetype=PeFileWrittenV19-v02 event_simpleName=PeFileWritten TERM(iQVW64) TERM(PeFileWritten) TERM(AppData) TERM(Local) TERM(Temp) OriginalFilename=iQVW64.SYS FilePath=*\\AppData\\Local\\Temp\\
Driver Load
This query looks for a Windows driver load event as part of the injection process.
index=main source=main sourcetype=DriverLoadV4-v02 event_simpleName=DriverLoad TERM(iQVW64) TERM(DriverLoad) TERM(ce566e0c55909bbf2bb0d43280ee78b4ba3d582f) TERM(AppData) TERM(Local) TERM(Temp) CertificateThumbprint=ce566e0c55909bbf2bb0d43280ee78b4ba3d582f OriginalFilename=iQVW64.SYS FilePath=*\\AppData\\Local\\Temp\\
ASEP Value Update
This query looks for a registry key created as part of the injection process.
index=main source=main sourcetype=AsepValueUpdateV7-v02 event_simpleName=AsepValueUpdate TERM(ControlSet001) TERM(Services) TERM(AppData) TERM(ImagePath) TERM(AsepValueUpdate) RegValueName=ImagePath RegObjectName=\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\* RegStringValue=*\\AppData\\Local\\Temp\\* RegStringValue!=*\\AppData\\Local\\Temp\\*.*
Tyler Frederick
Tyler oversees security engineering and advanced response services for the 24x7x365 CyberSOC, including forensics, incident response, threat hunting and threat intelligence, purple teams, and platform engineering. He has extensive experience developing advanced SIEM and EDR correlation logic, conducting purple team assessments, leading incident response activities, and automating security operations.
Tyler is a graduate of Penn State University, holding a Master's degree in information sciences and technology (IST), as well as degrees in cybersecurity, computer science, and information systems.
Prior to joining SRA, Tyler worked as an IT manager and system administrator and brings with him an understanding of the challenges involved with implementing and managing security controls in enterprise networks.
Greg Stachura
Greg focuses on Incident Response and the Cyber Security Operations Center. Greg has experience managing SIEM, as well as orchestration and automations platforms. He also has extensive background in Incident Response playbook development, forensics and log analysis. Prior to joining Security Risk Advisors, Greg worked extensively in the financial, healthcare and education sectors.