With this post we are getting nearly to the end of these series of memory analyis with Vshot and Remnux. In this post we are covering some of the plugins to detect the most targeted and stealthy attacks you can find today out there.
More often than in previous years, I am coming across more and more reports in which the artifacts left behing by the attackers could only be recovered in memory and there is a tendency for this attack to become more mainstream as they are more difficult to detect. We are not talking only about malware but the use of legitimate tools is also increaseing therefore concealing the evil activity.
Read some examples here:
One more example that the AV is not dead, but it is part of a good defense in depth strategy however as everything else in this field; old techniques are abandoned and new advancements evolved at the speed of light and if you are planning to run your company systems with an AV you are failing to plan for the future that is already happening.
If you are not interested in the technicalities of this article, I encourage you to go to the end of it and read the conclusion, after that you may understand why this subject is important and why I am writing about it.
Let’s get to the main focuse of this post. Code injection in memory can happen through DLL Injection and Process Hollowing. I am not getting into the theory or types of DLL injection, at the beginning of these series, I recommended a fantastic book. Please, consider reading it to get a deeper understanding of the subject.
As an introduction, code injection is the action of injecting malicious code into a legitimate process. This way the evilness is being hidden within the memory space of a legitimate process and therefore the detection is more difficult if you do not perform memory analysis.
The plugins we have in Vshot included in the Remnux distro to detect code injection are ‘malfind’ and ‘ldrmodules’.
The ‘malfind’ plugin scans memory looking for memory sections with privileges ‘PAGE_EXECUTE_READWRITE’ memory sections not mapped to a file present in disk and the existence of an MZ header (portable executable). This same plugin allows to dump the process memory sections that can be later reversed engineer by other specialists if need it.
The ‘ldrmodules’ plugin scans processes in memory looking for signs of unlinked dll’s. Processes DLL’s are tracked in 3 different lists in memory therefore malware wanting to hide can unlink the malicious DLL’s from one or more of these lists.
See an example below with an MZ header for ‘malfind’ plugin,
If we checked the plugin ‘ldrmodule’ not with the exact purpose it was built though, we can clearly see that an executable was injected into the memory space of the process above.
Process 3296 is svchost.exe and it contains an injected executable (WINDOWS\system32\dllhost\svchost.exe) in its memory space. This is an example of how we can use these 2 plugins to find anomalies and code injection present or not in disk. Detection may be possible if in this case svchost.exe is known to be malicious and not a 0 day attack, AV will play a good role in here. Even if the file is not known to be malicious, we still can funnel the hard drive until we find the file, the process will be touching the files in the disk to execute. However after a reverse engineer will do the analysis it will be determined that the process is malicious but by that time it will be too late.
To finally provide the final evidence that the process is injected with some sort of code likely malicious see the pslist plugin output.
It is clear that svchost.exe PID 3296 is a rogue process spawned by process id 1900 which is explorer.exe, this process is not to be known to be the parent process of svchost.exe.
Now, let’s quickly look at this from another angle. Let’s assume that the code injection happens without touching the disk. In this example the above plugins come in handy as the detection is straight. It is evident in processes lsass.exe PID 868 and lsass.exe PID 1928 that the DLL has been unlinked from one the lists.
Let’s see another example of code injection without MZ header, likely a shellcode however to confirm,you will need to have some knowledge of assembler to reverse engineer the machine language.
Let’s confirm with other plugins previously used such as ‘pslist’
Nothing abnormal in the output, PPID 656 which is services.exe. Let’s check the ‘pstree’ plugin to confirm.
Nothing abnormal, what else could be wrong with this process? Let’s check the sockets plugin.
There we have it, listening ports from process 1012. You can find a TCP listener on port 4444. This malware sample has trojan capabilities, not a surprise to find the listener on port 4444.
If I go a bit out othe script, I would like to dump the process memory sections and run them through an AV. Let’s see how to do this very quickly.
1. Dump the process to an executable file, what is the detection rate?
The command to dump the process to an executable file is the following,
Uploading the executable file to Virustotal we get the following results,
Surprisingly the only ‘AV’ which is not really an AV but a so called next generation endpoint protection detected it, it happens to be Crowstrike Falcon from the same organization where Devin Gergen works, the author of the Vshot script.
If you want to know more about machine learning detection with Crowdstrike Falcon and Virustotal read the following article:
The rest of AV’s swallowed it as predicted without complaining. How many of these products are deployed today out there protecting the Enterprise? I will not comment on this… How much do modern enterprises need advance detection in the endpoint today? I will not comment on this one either.
2. Dumping the memory section of the same process containing the DLL or code injection, what is the detection rate?
As expected with a file the detection rate increased, now we have 21 hits of 60 making 39 AV’s in the market useless and the others probably the ‘best of the breed’. Still surprised to see very vague detection names for the file. This proves that code injection today is king in evading AV detection.
Up until now you can see how powerful is to inject code into memory and how it is not possible to detect it in the disk. Defenders need to understand these techniques in order to defend the organization. How many times can you find traces of malicious behaviour in your perimeter and when you do an investigation in your machines no AV logs flagging anything or other evidence that points that the machine is part of a breach?
I would really pay attention to the incidents in which detection at the perimeter has found suspicious communciation with a URL or IP and maybe only maybe through AV and Passive DNS you will be able to ascertain the maliciousness of that infrastructure however when investigated in your network everything seems normal. It is likely that code injection happened in the endpoint. So from now on, consider this an option as these attacks are more and more mainstream today.
To finish this post, I would like to quickly touch the eternal subject about the usefulness of these skills and/or if they are Enterprise skills. These skills at a first glance do not seem Enterprise skills for Defenders in the ‘modern’ Enterprise, especially because everything that comes packaged as ‘Enterprise’ today comes disguised with wonderful colours, shapes and at a high price.
If you think these are not Enterprise skills, you are wrong. Today, you need to be hiring professionals in threat detection and security engineering fields with an understanding of these threats and these skills, if you are not doing it you are hiring to fail. These skills in the right hands with some of the solutions available today in the market for advance endpoint protection works wonders.
Many of these solutions are built and can achieve the level of protection they provide today because they are taking into cosideration among other things the memory system and how threats take advantage of it.
Do not make a bad bet because these skills come forward as non enterprise, they are not visually appealing or they come titled as memory forensics. The reality is that in an Enterprise deployment of an advance enpoint solution you are going to need them to operate and monitor this protection technology. In recent months I have tested some of them and they are so powerful that they allow the operator to perform IR / Forensics type of job in nearly real time.
Do not fool yourself, they are forensic techniques but they are being pushed to the endpoint to do near real time detection and they are already available in the market.
In the next and last article I will quickly go trought a rootkit detection, how it works and how to detect it.
See previous articles about memory forensics: