Windows Fibers, little-known components of the Windows operating system, represent a largely undocumented code execution path that exists exclusively in user mode and is therefore largely overlooked by endpoint detection and response (EDR) platforms.. Therefore, it is possible for attackers to exploit them to stealthily land on PCs and distribute malicious payloads.
This is according to Daniel Jary, an independent security researcher, who has outlined two new Proof-of-Concept (PoC) attacks using fiber in a session at Black Hat Asia on Thursday.
Fibers are an alternative to the standard “threads” that Windows uses to run operating system or application code, he explains.
“Threads are essentially like workers, inside a Windows process or application, and have traditionally always been how you ran code and got things done,” he tells Dark Reading. “But there’s a more niche way to do it, through fibers.”
Fiber: A forgotten and overlooked Windows operating system path
Fibers, when used, exist within threads – they are essentially smaller, lighter versions of the larger thread concept. Fibers were first developed at a time when CPUs had fewer cores available and could only accommodate a certain number of threads. At a high level, smaller ones were a way to expand capacity, allowing developers to split workloads within a single thread and make processes more efficient.
“But as computers became more powerful, with more memory to play with, fiber became somewhat redundant in the vast majority of scenarios,” Jary explains. “And that’s why a lot of people haven’t really heard of them and they’re a little obscure, but they serve some purposes for some old legacy applications and a way to port programs from other operating systems onto Windows. And, some Windows processes themselves they still use fibers.”
As such, Fibers enjoys the dubious honor of being both a core feature of Windows and a feature overlooked by security teams. And what’s more, Jary notes that traditional detection mechanisms in EDR platforms and antivirus engines tend to ignore them, making them a perfect stealthy route to execute malicious code.
“Threads are heavily monitored by EDR agents, which examine system calls and kernel-mode callbacks to capture telemetry data and send it to a rules engine to generate detection,” explains Jary. “But the fibers exist exclusively in user mode and don’t show up in the kernel collection; so their telemetry isn’t actually recorded by the EDRs.”
There are already some open source techniques for exploiting the hidden state of fibers. A 2022 PoC, for example, details a method for hide malicious shell code inside a fiberthus evading most AV engines.
Others have created methods for Call stack masking, which allows attackers to hide a malicious execution path within a thread, in this case a fiber, behind a different, dormant, benign fiber, while also avoiding detection. The technique takes advantage of the fact that if fibers are in use, there is always an active fiber, then a dormant fiber with which it switches off. This cloaking ability was added to the Cobalt Strike Artifact Kit in 2022.
New frontiers in the execution of harmful fibers
Jary began exploring whether it was possible to improve on existing malicious fiber techniques and came up with two new PoCs, dubbed Phantom Thread and Poison Fiber.
Existing adversarial fiber methods have some disadvantages for attackers: some indicators could still be used for EDR detection; and the threat is not hidden by online event-based call stack collection. Additionally, any collection of dormant fibers, for which several techniques exist, would remove call stack masking.
Phantom Thread is a next-generation call stack masquerading approach that removes the ability of memory scans to target fibers, causing those fibers to masquerade as threads. This involves creating a fiber, then patching it so that it identifies itself as a thread. Then, it becomes possible to remove any fiber call stack indicators and essentially hide the fibers from any scans altogether.
The second PoC, Poison Fiber, enumerates all running Windows processes, examining which threads are in use and then whether any of these threads are using fibers. So, “it gives you the opportunity to inject your payload or your shellcode into a dormant fiber,” Jary explains.
“You can only run one fiber per thread at a time, which means you always have another dormant fiber parked somewhere else in the stack,” he says. “When we run our code using Poison Fiber, it puts our code into a dormant fiber, so we don’t have to suspend the thread to inject the shellcode, which is a huge indicator of malicious activity. And, because we… We injected the payload in a dormant fiber, so the application starts execution for us and we don’t start execution.” The technique has the added benefit of also allowing remote code execution (RCE).
Wake up to fiber’s potential antagonist
While they remain somewhat obscure, fibers should be on security teams’ list of attack vectors, warns Jary, who has not yet publicly released his evolved PoCs or granular details about the methods. He says it’s only a matter of time before others find ways to overcome the drawbacks of existing open source fiber execution methods.
“Fiber’s alternative execution method is valuable to attackers because it helps us evade traditional sources of telemetry that we get with threads, especially kernel callbacks,” he says. “Fibers are not a privilege escalation tactic; and they are not a user access control (UAC) bypass. But they enable payload distribution that receives far less spotlight and attention from the security community. Fibers are really simple to implement, but are harder to detect, so they’re perfect for any script kiddie to use to attack companies.”
Jary recommends implementation mature EDR products which can be continually tested against emerging techniques such as these.
“Talk to your red collaborators about open-source fiber methods that are used in nature,” he says. “Do some research to see what attackers like, what’s popular out there, then provide that to your research team and EDR product developers. This will help build better defenses and will probably make threat hunters’ lives a little even a bit more. ‘ easier.”