Sneaky Shellcode: Windows Fibers Offer EDR-Proof Code Execution

BLACK HAT ASIA – Singapore – Windows fibers, little-known components of Windows OS, represent a largely undocumented code-execution pathway that exists exclusively in user mode — and is therefore largely overlooked by endpoint detection and response (EDR) platforms. As such, it's possible for attackers to exploit them to stealthily land on PCs and deploy malicious payloads.

That's according to Daniel Jary, an independent security researcher, who laid out two new proof-of-concept (PoC) attacks using fibers in a session at Black Hat Asia on Thursday.

Fibers are an alternative to the standard "threads" that Windows uses to execute code from the OS or an application, he explains.

"Threads are like workers, essentially, within a Windows process or an application, and traditionally, they've always been the way that you'd execute code and get things done," he tells Dark Reading. "But there's a more niche way of doing it, through fibers."

Fibers: A Forgotten & Overlooked Windows OS Pathway

Fibers, when used, exist within threads — they're essentially smaller, more lightweight versions of the bigger thread concept. Fibers were initially developed at a time when CPUs had fewer cores available to them and could accommodate only so many threads. At a high level, the smaller were a way to expand capacity, by allowing developers to split up workloads within a single thread and make processes more efficient.

"But as computers became more powerful, with more memory to play with, fibers became somewhat redundant in the vast majority of scenarios," Jary explains. "That's why a lot of people really haven't heard about them and they're a bit obscure, but they do serve a few purposes for some old legacy applications and a way to port programs from other operating systems over to Windows. And some Windows processes themselves actually still use fibers."

Thus, fibers enjoy the dubious honor of being both a core Windows function and an overlooked one by security teams. To boot, Jary notes that traditional detection mechanisms in EDR platforms and antivirus engines tend to ignore them — making them a perfect stealth avenue to execute malicious code.

"Threads are heavily monitored by EDR agents, which look at syscalls and kernel mode callbacks to capture telemetry and send it to a rules engine to generate detection," Jary says. "But fibers exist purely in user mode and don't show up in kernel collection, so their telemetry is not actually getting recorded by EDRs."

Some open source techniques already exist to take advantage of fibers' under-the-radar status. A PoC from 2022, for instance, details a method for hiding malicious shellcode inside a fiber, thus evading the majority of AV engines.  

Others have created methods for callstack masking, which enables attackers to hide a malicious execution pathway within a thread — in this case, a fiber — behind a different, dormant fiber that's benign, also evading detection. The technique takes advantage of the fact that if fibers are in use, there's always an active fiber, then a dormant fiber that it switches off with. This masking capability that was added into Cobalt Strike's Artefact Kit in 2022.

New Frontiers in Malicious Fiber Execution

Jary set off to explore whether it's possible to improve on existing malicious fiber techniques, and came up with two new PoCs, dubbed Phantom Thread and Poison Fiber.

Existing adversarial fiber methods have certain disadvantages for attackers: Some indicators could still be used for EDR detection, and the maliciousness isn't hidden from inline event-based callstack collection. Any collection of dormant fibers, for which several techniques exist, would remove callstack masking.

Phantom Thread is a next-gen callstack masking approach that removes the ability of memory scans to target fibers by having those fibers masquerade as threads. This involves creating a fiber, then patching it so that it self-identifies as a thread. Then it becomes possible to remove any fiber callstack indicators and essentially hide the fibers from any scanning altogether.

The second PoC, Poison Fiber, enumerates any running Windows processes, looking at threads in use and then whether any of those threads are using fibers. Then "it presents you with an opportunity to inject your payload or your shellcode into a dormant fiber," Jary explains.

"You can only one run one fiber per thread at any one time, which means you always have another dormant fiber parked somewhere else on the stack," he says. "When we execute our code using Poison Fiber, this injects our code into a dormant fiber, so we don't have to suspend the thread in order to inject the shellcode, which is a huge indicator for malicious activity. And because we've injected the payload into a dormant fiber, then the application triggers the execution for us, and we don't initiate the execution ourselves." The technique has an added benefit of allowing remote code execution (RCE) as well.

Wake Up to Fiber's Adversarial Potential

While they remain somewhat obscure, fibers should be on security teams' list of attack vectors, warns Jary, who has not yet released his evolved PoCs or granular details on the methods publicly. He reasons that it's only a matter of time before others find ways of overcoming drawbacks in existing open source fiber execution methods.  

"Fiber's alternate execution method is valuable to attackers because it helps us sidestep traditional telemetry sources that we get with threads, in particular kernel callbacks," he says. "Fibers aren't a privilege escalation tactic, and they aren't a user access control (UAC) bypass. But it does allow a payload delivery that gets a lot less spotlight and attention from the security community. Fibers are really simple to implement, but they're harder to detect. So that makes them perfect for any script kiddie to use to attack businesses."

Jary advises implementing mature EDR products that can be continually tested against emerging techniques like these.

"Talk to your red teamers about open source fiber methods that are being used in the wild," he says. "Do some research to see what attackers are having joy with, what's popular in the wild, then feed that back into your research team and your EDR product developers. That's going to help build better defenses and probably make your threat hunters' lives a little bit easier as well."