Puzzle is a set of PoCs and utilities that make it possible to abuse functionality provided by several Windows minifilters when executing malware in monitored environments. The main concept of this repository is to demonstrate how, by abusing the Windows minifilter architecture and the different load altitudes of these devices, we can achieve a certain level of stealth and concealment as attackers when dropping and executing malware during a Red Team exercise.
The different "puzzle pieces" available in this repository are described below:
- SyncProvider: Project that abuses the Cloud Filter API functionality provided by the
CldFltminifilter to write malware to disk without it being statically analyzed. - WOFProvider: Solution that uses the wofapi functionality provided by the
Wofminifilter to designate a WIM file as an external data source. It provides functionality similar to SyncProvider. - BindLinks: Solution that allows creating and removing
bindlinks, functionality provided by thebindfltminifilter. It adds a concealment layer to make malware harder to analyze at runtime. - IdMapper: Solution that makes it easier to load and execute binaries hidden behind a
bindlinkthrough their FRN (File Reference Number). - Scripts: Folder that provides Python scripts with utilities to execute the techniques described in this repository.
- Utils: Rust solution that provides utilities complementary to those provided in the Scripts folder.
The three main projects (SyncProvider, BindLinks, and WOFProvider) have their own documentation in addition to this general repository description. It is strongly recommended to read those three README files beforehand, in that same order, to understand the full concept behind this repository and the recommended way to combine the different solutions present here.
The code in this repository has been tested on Windows 10 and 11, as well as the corresponding versions of Windows Server. The three minifilters mentioned should be present in virtually all builds, but you can always verify their presence using the fltmc command.
The repository provides two build scripts: build.cmd and build.ps1. Both scripts compile all Rust solutions at once through the cargo utility (the Rust environment must be installed on the machine beforehand). The compiled binaries are stored in a bin folder at the repository root:
C:\Path\To\Puzzle> build.cmd clean # Clean all previous builds, if any
C:\Path\To\Puzzle> build.cmd build release # Build all Rust solutions in release mode
Admin required: No
SyncProvider is a malicious sync engine that uses the Cloud Filter API to drop malware to disk. This solution allows writing malware to disk without it being statically analyzed and, in some cases, also makes it possible to evade part of the dynamic analysis performed by some endpoint security solutions when executing the payload.
For details about how the tool works and how it is considered it should be used, first see the README for this solution, and then the documentation for the BindLinks project.
Admin required: Yes
This project allows creating and removing bindlinks. As documented in the solution README, we can use this functionality to add an additional concealment layer to our malware, allowing it to go unnoticed during execution and preventing its content from being scanned.
The use of this solution is recommended regardless of whether we use SyncProvider or WOFProvider to write the malware to disk, adding an additional concealment layer.
Admin required: Yes
This solution uses wofapi to set a WIM file as an external data source, thereby allowing malware to be dropped to disk without being statically analyzed. To execute the payload dropped through this method, it is essential to establish a bindlink that allows hiding it at runtime.
- https://www.elastic.co/security-labs/immutable-illusion
- https://github.com/bitdefender/bindutil-toolset
- https://www.microsoft.com/en-us/download/details.aspx?id=13096
- https://www.microsoft.com/en-us/security/blog/2022/06/30/using-process-creation-properties-to-catch-evasion-techniques/
- https://learn.microsoft.com/en-us/windows/win32/api/_cloudapi/
- https://learn.microsoft.com/en-us/windows/win32/api/bindlink/
- https://learn.microsoft.com/en-us/windows/win32/api/wofapi/
