April 18, 2024 at 04:41AM
Windows fibers are a little-known code-execution pathway in Windows OS, allowing attackers to stealthily land on PCs and deploy malicious payloads. They exist exclusively in usermode within threads and are largely overlooked by security systems. Adversarial techniques are being developed to exploit their under-the-radar status, making them a concern for security teams.
After reviewing the meeting notes, the key takeaways are:
– Windows fibers are a largely undocumented code-execution pathway within the Windows OS that exist exclusively in usermode and are overlooked by endpoint detection and response (EDR) platforms.
– Fibers are an alternative to the standard “threads” that Windows uses to execute code from the OS or an application. They function as smaller, more lightweight versions of threads and were initially developed to expand capacity on CPUs with fewer cores available.
– Fibers are largely ignored by security teams and traditional detection mechanisms in EDR platforms and antivirus engines, making them a perfect stealth avenue to execute malicious code.
– New proof-of-concept (PoC) attacks using fibers, such as Phantom Thread and Poison Fiber, have been developed to improve on existing malicious fiber techniques.
– Fibers provide an alternate execution method that sidesteps traditional telemetry sources, making them valuable to attackers as they receive less spotlight and attention from the security community.
– It is advised to implement mature EDR products that can be continually tested against emerging techniques like those involving fibers, and to stay informed about open-source fiber methods being used in the wild to build better defenses.
If you need further information or would like additional details on specific points, please let me know.