CS-Paralyzer: CrowdStrike EDR Impairment and Detections for Your Team

by | Jan 18, 2023

Summary

In December 2022 we assisted with an incident response investigation where the threat actor was successful in stealthily impairing an EDR agent with malware called “CS-Paralyzer”. In this incident, CrowdStrike was the target EDR and the attack disabled the EDR sensor’s ability to generate alerts but allowed telemetry back to the console. The attack we observed focused on CrowdStrike, but the concept could extend to other EDR platforms as noted by CrowdStrike in their blog post that covers their analysis of this threat actor.

It is also important to note that the threat actor first needed to have access to the given endpoint, but once executed, the malware rendered the EDR ineffective. This is not an initial access threat as much as a persistence, privilege escalation and lateral movement risk.

 

Detailed Assessment

The primary exploit is a Windows kernel-mode driver that, upon being loaded into memory, modified components of the CrowdStrike csagent.sys driver. The module is specific to the version of the CrowdStrike sensor being used and will bluescreen the system if executed with another sensor version running. The IOCs below are specific are for version 6.45.15908. SRA does not currently have any other versions available. The file is signed with the stolen NVIDIA certificates released by LAPSU$, thumbprint ce566e0c55909bbf2bb0d43280ee78b4ba3d582f. Although signed, these certificates have been revoked, so the module cannot directly be loaded into memory on modern Windows systems with driver signature protections. In order to load the module without placing the system in test mode, another exploit (see below) is used to bypass the signing protection.

CS-PARALYZER.sys
MD5: 58302A229C5A3372A9DBED9D3A7C3A69
SHA-1: CC5738CFCAFC70AB7AA60B463D3948F1A8028551
SHA-256: CD816D73FE439AB8C50D442FF33302BA59AE291DE2FB2952E69E4861FFE128F5

This Windows executable uses a known exploit against the signed Intel iqvw64e.sys driver to load other, unsigned drivers into memory. A POC of the code can be found here: https://github.com/noahbelsito/inteloops. This is used to load the CS-PARALYZER.sys module into memory. It must be run as an administrator, and takes a single command-line argument consisting of the name of the module to load, e.g. “hi.exe CS-PARALYZER.sys”.

hi.exe
MD5: C7FA8EDA1A57B3DBC07CA93DE81D3E6B
SHA-1: 512C7CBFB462A67A6C0E540BF796AB53EEF408DB
SHA-256: 4B8D3D6E379D70CCDC7AFEFB5DA7EEE7583F6F1405C98C8A452FB17490F4BA7C

This is a testing module found alongside the other artifacts.

HelloWorld.sys
MD5: 1E05F3934C682547949993C420DC9116
SHA-1: 0778B7A418EA0BD9A7E53A48145029F8FBC5D38F
SHA-256: 6B0C82FF3F0F0E2B22CDDCB0D7AA7E75DAA03A64BAF358D00A071E89F3E85643

 

Official, Microsoft Signed Binaries

The following are legitimate signed Microsoft binaries found alongside the above artifacts. They appear to be dependencies for the usermode/executable component, which may have hardcoded search paths or version numbers.

DO NOT WRITE DETECTIONS BASED ON THE PRESENCE OF THESE FILES ALONE, THEY WILL BE PRESENT ON ANY LEGITIMATE WINDOWS INSTALLATION.

concrt140d.dll
MD5: B6C85D6037CDB62ED50BBBF84D83263A
SHA-1: 08484C7943B48CBD90C7FB69BEC543EC70BA2ABF
SHA-256: 269D7880CF08F778601BC39815E7E4ADC2FD1163FE36FE8AE900B8558B5A4332

msvcp140d.dll
MD5: E52828D6280060A3F8B43FBD9704557F
SHA-1: 48718210B21C4AC684238A489B6BDA6F0027A3FD
SHA-256: C099E5BFB4C07A30C8925ECE47C22FA53F5BBF50E2624FCD9EF50333DDA6924A

msvcp140d_atomic_wait.dll
MD5: 4ED22F3A7D8805F409123E3459D2B54F
SHA-1: FF24AB2F07C1F3B7F52AFEC1A836C2EF6616CB1A
SHA-256: 70A2B357B39E43D4F7941397974F5BE5A992CF59D69DE3E2E6896837CEA61FE0

msvcp140d_codecvt_ids.dll
MD5: 3B862F9AA0BDDD132A7CD4852AD3BBEF
SHA-1: 7D7C12972A74498B7A7CC3EA823B03E072714E57
SHA-256: DAB59871DAECE0B5AD8B06E7F441E2F83EC3662231AFC27C1AC8E706C0BD404F

msvcp140_1d.dll
MD5: 0A5034E247A0AE8146F8D66718274C6A
SHA-1: E278B95595E86A84B9089878DEEB19F5389F6911
SHA-256: 5409695C60C5A34874FF7505227A832D91D7A6A0C97D5B926E75A65F5F64CFE1

msvcp140_2d.dll
MD5: 9939AE4C7355373B9219D6FD6F7D8B84
SHA-1: 9A3D7A460093CEFC3CFD2E3644DA0B015D27CB23
SHA-256: D30C50434CC6243D17E654C63CCC5BAF9BC1DF7F87FFBCF14B27B8BF3CAE91F7

ucrtbased.dll
MD5: FFC3B14A9C1280517429E805ED9625B2
SHA-1: D54A864A4061F2AE286AE6C77790D4CFB9344BB0
SHA-256: 474884886266E2CC01C8025751A153670749247F327AFD8AE1FCA99E273E57F8

vccorlib140d.dll
MD5: 25BA0BD7C434C0AA31835B10139024CE
SHA-1: 80D0F7496A439940D3AF06C18A0C30F51080BC1A
SHA-256: D2643A240700F0A9CDDDF4BE1BE24174F307676561960A04B3236E0F7AEC403E

vcruntime140d.dll
MD5: 818F6CC6C15193F47BCBEA6BE40249EB
SHA-1: F86219279DE40C1F570BD57F7F85482223872924
SHA-256: 9C24F0316E9513F5303566FE5358427DD90A594C8AF6E3A97524FF55F90B37DF

vcruntime140_1d.dll
MD5: 47C6D20B6B6810FED24F9CEBCE6028BC
SHA-1: AAB843286C009923902CD9B29BAF2BEAE9FC182F
SHA-256: 1B92F128A643D48F7CC5454BECACEBAD5D887427530E651C3D48324FF0839B3C

 

Custom Detection Methodology

These need to be implemented as scheduled searches in CrowdStrike. CrowdStrike IOAs do not currently support all of the specifiers needed to implement. The first query listed is the “all-in-one” and includes the following three query to cut down on the number of searches that need to be run. All three queries look for the Intel exploit needed to load CS-PARALYZER into memory. THEY DO NOT DETECT CS-PARALYSER ITSELF.

 

Three Detections in One

(index=main source=main TERM(AppData) TERM(Local) TERM(Temp)) AND ((TERM(iQVW64) OriginalFilename=iQVW64.SYS AND ((event_simpleName=PeFileWritten TERM(PeFileWritten) FilePath=*\\AppData\\Local\\Temp\\) OR (event_simpleName=DriverLoad TERM(DriverLoad) TERM(ce566e0c55909bbf2bb0d43280ee78b4ba3d582f) CertificateThumbprint=ce566e0c55909bbf2bb0d43280ee78b4ba3d582f FilePath=*\\AppData\\Local\\Temp\\))) OR (event_simpleName=AsepValueUpdate TERM(AsepValueUpdate) TERM(ImagePath) TERM(ControlSet001) TERM(Services) RegValueName=ImagePath RegObjectName=\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\* RegStringValue=*\\AppData\\Local\\Temp\\* RegStringValue!=*\\AppData\\Local\\Temp\\*.*))

 

PE File Written

This query looks for the intel iqvw64.sys being written to a temporary location as part of the injection process.

index=main source=main sourcetype=PeFileWrittenV19-v02 event_simpleName=PeFileWritten TERM(iQVW64) TERM(PeFileWritten) TERM(AppData) TERM(Local) TERM(Temp) OriginalFilename=iQVW64.SYS FilePath=*\\AppData\\Local\\Temp\\

 

Driver Load

This query looks for a Windows driver load event as part of the injection process.

index=main source=main sourcetype=DriverLoadV4-v02 event_simpleName=DriverLoad TERM(iQVW64) TERM(DriverLoad) TERM(ce566e0c55909bbf2bb0d43280ee78b4ba3d582f) TERM(AppData) TERM(Local) TERM(Temp) CertificateThumbprint=ce566e0c55909bbf2bb0d43280ee78b4ba3d582f OriginalFilename=iQVW64.SYS FilePath=*\\AppData\\Local\\Temp\\

 

ASEP Value Update

This query looks for a registry key created as part of the injection process.

index=main source=main sourcetype=AsepValueUpdateV7-v02 event_simpleName=AsepValueUpdate TERM(ControlSet001) TERM(Services) TERM(AppData) TERM(ImagePath) TERM(AsepValueUpdate) RegValueName=ImagePath RegObjectName=\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\* RegStringValue=*\\AppData\\Local\\Temp\\* RegStringValue!=*\\AppData\\Local\\Temp\\*.*

 

 

 

Tyler Frederick
Manager | Archive

Tyler oversees security engineering and advanced response services for the 24x7x365 CyberSOC, including forensics, incident response, threat hunting and threat intelligence, purple teams, and platform engineering. He has extensive experience developing advanced SIEM and EDR correlation logic, conducting purple team assessments, leading incident response activities, and automating security operations.

Tyler is a graduate of Penn State University, holding a Master's degree in information sciences and technology (IST), as well as degrees in cybersecurity, computer science, and information systems.

Prior to joining SRA, Tyler worked as an IT manager and system administrator and brings with him an understanding of the challenges involved with implementing and managing security controls in enterprise networks.

Greg Stachura
Senior Manager, GFCA, CISSP and Security+ | Archive

Greg focuses on Incident Response and the Cyber Security Operations Center. Greg has experience managing SIEM, as well as orchestration and automations platforms. He also has extensive background in Incident Response playbook development, forensics and log analysis. Prior to joining Security Risk Advisors, Greg worked extensively in the financial, healthcare and education sectors.