Section 3.5: Injection, Rootkits, & Extraction Flashcards
Why adversaries use code injection?
It serves as a camo, it gets access to the process’s memory sections and permissions, it gives them a chance to migrate, it evades A/V since its not stored inside disk, and it assists with more complex attacks like rootkits.
Why would adversary migrate from one process to another?
The process they may have exploited can be turned off by the user (say Internet Explorer). They will want to move to a more persistent process like svchost or another that always remains.
What was the emotet malware?
Code injection that focuses on browser processes to gain access to stored credentials.
Name three types of code injection
DLL injection, reflective, and process hollowing
Describe process hollowing
Malware starts a suspended instance of a legit process. It then deallocates the original process code and its replaced with malware. It can retain original process objects. Since this bad code is not backed inside disk, its called hollowing.
Describe reflective injection
Malware creates its own LoadLibrary() therefore bypassing API functions used for security, resulting in code running that isn’t present in the process host lists or on system disk.
Can Powershell do code injection?
Yes! Code injection and reflective.
Explain a simple code injection procedure.
Adversary has admin rights to debug process. They use the API function OpenProcess () to attach attacker process to victim process. The attack process allocates [VirtualAllocEx()] memory on the victim and adds malware DLL path [WriteProcessMemory()]. [CreateRemoteThread()] is added along with [LoadLibrary()] in order to load DLL to process from disk.
Why does Mimikatz depend on API functions NTCreateThreadEx and RtlCreateUserThread?
Because modern systems process run in sessions isolated from user processes and this bypasses this hurdle.
Name the three lists that run PEB
InLoadOrderModule list, InInitializationOrderModule list (no exe present), and InMemoryOrderModule list.
The code injection plugins
Ldrmodules, malfind, hollowfind, & threadmap
How does ldrmodules gathers its data sources?
It compares the PEB lists with the VAD tree and memory sections to see if they are true.
Name an executable that will not be present inside the InInitializationOrderModule list?
Lsass.exe
Three indicators that prove there is reflective code injection inside the memory sections when using the malfind plugin.
Memory sections marked as “Page_Execute_ReadWrite”, no mapped path, and section has PE (MZ) file or shellcode. There should be no executable presence inside the memory sections if there is no code there (only disk).
What command does “run vnc” by Metasploit do once the adversary injectes a RAT tool inside a victim’s process?
It injects a VNC remote desktop DLL on victim’s system and opens up a VNC session. Use grep -b4 MZ on malfind to find processes related before to the injected code.
If no MZ header is found when using malfind, what is another method to identify if there is code present inside a process?
Look for assembly code words such as: MOV, EBP, ESP, & and PUSH.