2.1.3. Shellcode detect engine

2.1.3.1. Introduction

2.1.3.1.1. For what types of threats is this engine designed?

The Shellcode Detect engine allows the detection and analysis of shellcodes.

A Shellcode is a binary code designed to be injected and executed into a program by exploiting a vulnerability.
Similar to a miniature malware, its goal is usually to take control of the infected system, but any type of action can be performed.
Shellcodes often have many constraints related to the exploited vulnerability (limited size, forbidden bytes, ...).
Thus, an attacker will generally use it to "get a foot in the door", before moving on to more advanced techniques.
A Shellcode can be used to open a backdoor on the machine, to let the attacker act live, or download directly in memory a malware and run it.

A Shellcode can also be obfuscated, "encoded", to avoid being detected by patterns, but while remaining executable as is.
It must be able to self-decode, we then speak of polymorphism.
There are many encoding algorithms for shellcodes on the internet, more or less complex.
Due to its nature, shellcode is difficult to detect:

Not a file
It is directly executed in memory in a healthy program
Its small size reduces pattern possibilities for detection
May be obfuscated to avoid pattern detection

A shellcode can also be used in a malware in order to blur the tracks during an antivirus scan.

2.1.3.1.2. How does this particular engine detect threats?

Shellcode detection is done in several steps:

The first step is to analyze the samples for shellcode encodings.

Indeed, these algorithms are specific to shellcodes, they cannot be found in another context.

This process allows accurate and indisputable identification of shellcodes.
If one or more encodings are identified, the shellcode is extracted and sent to the analysis step.
If no encoding has been identified, the sample goes through a thorough indicator search.

This process will perform an intelligent, emulation-based search to try to identify a typical shellcode behaviour.
The last step is to analyze the identified shellcode in order to validate the detection, and extract as much information as possible.

This process will perform full shellcode emulation and record all system functions called.

2.1.3.1.3. How does Shellcode Detect engine work in the GCenter?

The engine:

Retrieves events sent by the GCap (for further details see Shellcode Detect engine input data)
Analyzes these events (for further details see How does this particular engine detect threats?)
Generates alerts (for further details see Events generated)

2.1.3.1.3.1. Shellcode Detect engine input data

Any packet passing through the network will undergo a search for smart patterns to identify those that may contain a shellcode.
These packages are then extracted and sent to the GCenter for further analysis by the Shellcode Detect engine.
Once the analysis is completed, if a shellcode has been identified, an alert is raised with all the information collected.

Note

Currently, only shellcodes for Linux and Windows machines, under Intel x86 and x64 architecture, are detected.

Encoding identification will only be possible for a defined set of algorithms, but this will not prevent the detection of shellcodes whose encoding could not be identified.
Detection of shellcodes embedded in malware is possible and will follow the same scanning path, but will not work if they are "hidden" (encryption, compression, ...) since it would require a dynamic analysis of the malware itself.

In order for the engine to be operational, a first update of the "Threat DB" will have to take place.

2.1.3.2. Events generated

Events generated by the Shellcode detect engine are alerts only.

These are displayed:

In the main interface named WebUI on the GCenter in the `Alerts` screen

The main interface named WebUI is described in the Overview of the WEB UI.
- To display only these alerts, select the `Shellcode` engine filter.
  
  See the presentation of the WebUI `Alerts` screen.
- Click on the selected alert.
  
  The `Alert details` window is displayed.
  
  The detailed information of this alert is displayed in Example of a Shellcode alert in the WebUI.
  
  The displayed counters are given in the Engine log data structure appendix.
In the interface named Kibana UI
- Click on the `Hunting` icon of the `WebUI`.
  
  The interface displayed is the interface named Kibana UI (described in Overview of the Kibana GUI).
- Click on the `Shellcode` tab (2) of the `Alerts` category (1).
- Select the `Overview` tab (3).
- Select the time range (4) to display data.
  
  It is then possible to filter on certain values for, for example:
  - Do not display healthy machines (filter false positives)
  - Show only alerts from a particular IP
  - Do not display alerts from a specific GCap
To consult information about a specific alert:
- Click on the toggle icon (1) on the left of the Alert.
  
  The expanded document (2) is displayed.
  
  The detailed information of this alert can be viewed in table or json format (see the Shellcode log data structure).
  
  The displayed counters are given in the Engine log data structure appendix.

2.1.3.2.1. Example of a Shellcode alert in the WebUI

The presentation of the `Alert details` window is given in the `Alert details` window.

The counters are given in the Engine log data structure appendix.

2.1.3.2.2. Shellcode log data structure

The logs are composed of different parts:

The header part
The source part defined by "_source"
The field part defined by "_fields"

This information is displayed In the `Expanded document` screen of Kibana.

2.1.3.2.2.1. The header part of the Shellcode logs

The header section contains:

"_index": "engines_alerts-2024.12.04-000030",
"_id": "BqIIkpMBe7GX5B2fdvZJ",
"_version": 1,
"_score": 0,

The detailed information is given in the table (Counters of the header part of logs).

2.1.3.2.2.2. The source part of the Shellcode logs

The source part defined by "_source" contains:

Note

The data displayed on the WebUI (alerts details window) is a part of the data displayed on the `Extended document` screen on the Kibana interface.
All data can be exported to a SIEM via syslog (an example of an exported alert is shown).
The detailed information is given in the table (Counters of the header part of logs).

The example given here is a Kibana example.

"event": {
  "created": "2024-12-04T14:17:28.138941+0000",
  "dataset": "alert",
  "severity": 1,
  "module": "shellcode_detect",
  "kind": "alert",
  "category": [
    "network",
    "intrusion_detection"
  ],
  "id": "f22d2438-d436-4391-9e7d-3fe1321ebed0"
},
"@version": "1",
"destination": {
  "port": 9999,
  "ip": "X.Y.Z.A"
},
"source": {
  "port": 33390,
  "ip": "W.S.Q.E"
},
"observer": {
  "log_format_version": "1.0.0",
  "hostname": "gcenter.domain.local",
  "vendor": "gatewatcher",
  "gcap": {
    "ingress": {
      "interface": {
        "name": "monvirt"
      }
    },
    "hostname": "gcap.gatewatcher.com",
    "version": "2.5.4.0"
  },
  "product": "gcenter",
  "uuid": "fc1e66e3-a397-5eb4-9277-754be778f317",
  "version": "2.5.3.103"
},
"ecs": {
  "version": "8.6.0"
},
"shellcode": {
  "sample_id": "12-04-2024T14:17:25_92517a8550cf4130b23466244880c1c7_gcap-int-129-dag.gatewatcher.com",
  "analysis": [
    {
      "args": "{'pathname': '//etc/passwd', 'flags': 'O_WRONLY|O_APPEND', 'mode': 'None'}",
      "_id": 0,
      "call": "sys_open",
      "ret": "4"
    },
    {
      "args": "{'fd': '//etc/passwd (4)', 'buf': 'bob::0:0::/://bin/sh', 'count': 20}",
      "_id": 1,
      "call": "sys_write",
      "ret": "20"
    },
    {
      "args": "{'fd': '//etc/passwd (4)'}",
      "_id": 2,
      "call": "sys_close",
      "ret": "0"
    },
    {
      "args": "{'status': 4}",
      "_id": 3,
      "call": "sys_exit",
      "ret": "0"
    },
    {
      "info": "Stop : End of shellcode (Exit)",
      "_id": -1
    }
  ],
  "sub_type": "Linux_x86_32",
  "encodings": [
    {
      "name": "Shikata_ga_nai",
      "count": 1
    }
  ],
  "id": "8ae5f9d35f3878cac3064fe93e4c311d"
},
"@timestamp": "2024-12-04T14:17:28.138Z",
"network": {
  "protocol": "unknown",
  "transport": "tcp",
  "timestamp": "2024-12-04T14:16:12.828909+0000",
  "flow_id": 1134126449059384

2.1.3.2.2.3. List of counters of the alert

Note

The alert counters are visible:

In the `Alert details` screen of the WebUI
In the `Expanded document` screen of Kibana
In the export to the SIEM

The detailed information is given in the table (Counters of the source part of logs).

2.1.3.3. Management of the engine

2.1.3.3.1. Viewing the engine status

The current engine status is displayed in the `Health checks` screen.

2.1.3.3.2. Engine update

The engine is updated with each new version of the GCenter.

2.1.3.3.3. Engine configuration

The configuration interface enables to activate the engine:

See the description of the `Shellcode detect` screen (Shellcode command)
See the Setting up the Shellcode detect engine procedure.

2.1.3.4. Alert Analysis

The alerts are displayed on a specific screen: this screen is described in the WebUI `Alerts` screen.
The general procedure for analyzing alerts is described in Using of NDR dashboards.
The specific procedure for analyzing Shellcode detect alerts is described in the Analyzing the Shellcode detect alerts.