We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
From Dead Data to Digestion: Extracting Windows Fibers for Your Digital Forensics Diet
Discover the hidden world of Windows fibers and their potential for malicious activity and detection by threat hunters.
- Fibers are mini-threads that can be used to away from detections and are currently not well understood by many threat hunters and blue teams.
- Fiber local storage (FLS) is a data structure that stores various types of data and callbacks, which can be used to evade traditional detections.
- Fibers can be abused by attackers to evade traditional detections and collect telemetry. An example of this is seen in the use of Weetabix, a tool that detects and extracts fiber data.
- It’s important to identify and analyze fiber data to detect potential malicious activity, as it can be used to evade traditional detections and collect telemetry.
- Fibers are created using the CreateFiber function, which takes a callback function and a context as arguments.
- Fiber data is stored in the TEB (Thread Environment Block), where it is accessed using the FLS (Fiber Local Storage) indexes.
- Fiber data can be extracted from memory by analyzing the heap entries and identifying the fiber local storage indexes.
- Fibers can be used to create novel telemetry, which can be used to detect potential malicious activity.
- Threat hunters should be aware of fibers and their potential to evade traditional detections, and should adapt their techniques to account for this.
- Windows fibers can be used to create novel detections, which can be used to detect potential malicious activity.
- Fibers are a relatively rare and not well-understood concept, making them a potentially valuable target for reconnaissance and exploitation.