Section 3.5: Injection, Rootkits, & Extraction

Question 1

Why adversaries use code injection?

Answer 1

It serves as a camo, it gets access to the process’s memory sections and permissions, it gives them a chance to migrate, it evades A/V since its not stored inside disk, and it assists with more complex attacks like rootkits.

Question 2

Why would adversary migrate from one process to another?

Answer 2

The process they may have exploited can be turned off by the user (say Internet Explorer). They will want to move to a more persistent process like svchost or another that always remains.

Question 3

What was the emotet malware?

Answer 3

Code injection that focuses on browser processes to gain access to stored credentials.

Question 4

Name three types of code injection

Answer 4

DLL injection, reflective, and process hollowing

Question 5

Describe process hollowing

Answer 5

Malware starts a suspended instance of a legit process. It then deallocates the original process code and its replaced with malware. It can retain original process objects. Since this bad code is not backed inside disk, its called hollowing.

Question 6

Describe reflective injection

Answer 6

Malware creates its own LoadLibrary() therefore bypassing API functions used for security, resulting in code running that isn’t present in the process host lists or on system disk.

Question 7

Can Powershell do code injection?

Answer 7

Yes! Code injection and reflective.

Question 8

Explain a simple code injection procedure.

Answer 8

Adversary has admin rights to debug process. They use the API function OpenProcess () to attach attacker process to victim process. The attack process allocates [VirtualAllocEx()] memory on the victim and adds malware DLL path [WriteProcessMemory()]. [CreateRemoteThread()] is added along with [LoadLibrary()] in order to load DLL to process from disk.

Question 9

Why does Mimikatz depend on API functions NTCreateThreadEx and RtlCreateUserThread?

Answer 9

Because modern systems process run in sessions isolated from user processes and this bypasses this hurdle.

Question 10

Name the three lists that run PEB

Answer 10

InLoadOrderModule list, InInitializationOrderModule list (no exe present), and InMemoryOrderModule list.

Question 11

The code injection plugins

Answer 11

Ldrmodules, malfind, hollowfind, & threadmap

Question 12

How does ldrmodules gathers its data sources?

Answer 12

It compares the PEB lists with the VAD tree and memory sections to see if they are true.

Question 13

Name an executable that will not be present inside the InInitializationOrderModule list?

Answer 13

Lsass.exe

Question 14

Three indicators that prove there is reflective code injection inside the memory sections when using the malfind plugin.

Answer 14

Memory sections marked as “Page_Execute_ReadWrite”, no mapped path, and section has PE (MZ) file or shellcode. There should be no executable presence inside the memory sections if there is no code there (only disk).

Question 15

What command does “run vnc” by Metasploit do once the adversary injectes a RAT tool inside a victim’s process?

Answer 15

It injects a VNC remote desktop DLL on victim’s system and opens up a VNC session. Use grep -b4 MZ on malfind to find processes related before to the injected code.

Question 16

If no MZ header is found when using malfind, what is another method to identify if there is code present inside a process?

Answer 16

Look for assembly code words such as: MOV, EBP, ESP, & and PUSH.

Question 17

How many bytes does malfind plugin display when run?

Answer 17

64 bytes out of 4096+ bytes. It is necessary to dump the memory section to fully review and see if code is being pushed further down to avoid visibility.

Question 18

What is hooking?

Answer 18

Code detour. Malicious process or driver redirects the logical code flow in order to manipulate I/O.

Question 19

Name the four locations rootkits can do hooking.

Answer 19

System Service Descriptor Table (SSDT: Kernel), Interrupt Descriptor Table (IDT: Kernel), Import Address Table (IAT: user), I/O Request Packets (IRP: Drivers).

Question 20

How can I find IAT hooks if its user based?

Answer 20

By using the plugin apihooks.

Question 21

What kernels and drivers need to be filtered out when searching malicious hooks inside the SSDT?

Answer 21

ntoskrnl.exe kernels and win32k.sys drivers.

Question 22

Plugins to detect rootkit activity

Answer 22

Ssdt, apihooks, psxview, modscan, driverirp,& idt.

Question 23

What does NTEnumerateKey, NTEnumerateValueKey, and NTQueryDirectoryFile do?

Answer 23

It hides registry keys, key values, files, and directories. Malware interacts with these objects while hiding itself.

Question 24

Is DKOM changes written on disk?

Answer 24

No, the kernel object changes are manipulated through memory.

Question 25

Name a few rootkit cases to research.

Answer 25

FU, Myfip, H worm, Fanbot.A worm, and Prolaco

Question 26

Two processes that will mark false on psxview

Answer 26

Smss.exe and csrss.exe

Question 27

Plugin to retrieve active drivers and plugin to receive them in tree format.

Answer 27

Modules & devicetree

Question 28

Upon finding a malicious driver, what can I do as an analyst?

Answer 28

Look for the hooks related to it first then go for everything else like objects, process, etc.

Question 29

Apihook indicators that can be suspicious on a running process

Answer 29

HTTPQueryInfo, unknown, GetClipboardData, HTTPSendRequest.

Question 30

What does the hooking module field marking unknown indicate in apihooks?

Answer 30

That the process is not mapping to anything on disk so its injected.

Question 31

Plugins to extract processesz drivers and objects

Answer 31

Dlldump, moddump, procdump, memdump, cmdscan, consoles, dumpfiles, filescan, & shimcachemem.

Question 32

Say I found malicious hooks during SSDT scan, how can I dump it for reverse engineering?

Answer 32

After finding hooks, look for the driver using modules or modscan. Get the offset and run moddump.

Question 33

What does memdump dump? What is it good for?

Answer 33

The executable code of the process being dumped as well as any loaded DLLs, memory-mapped files, and kernel memory pages. It can be used for file carving domains, IP addresses, passwords, and user-typed data.

Question 34

What is strings/bstrings (Windows) tool used for?

Answer 34

It extracts English ASCII & Unicode strings from a data stream and creates a file. It can be good for looking for strings of evidence such as username, IP addresses, domains, passwords, etc. Once a hit is found, look at other info around it to find context as to what is going on. Its useful on memdump and other places too.

Question 35

What are some purposes in using the grep command?

Answer 35

To locate certain words. In memdump, use it by adding the keywords founded in memory investigations. Say a process called linsniffer was found, I can dump its memory sections by memdump, create a strings file, and grep the word linsniffer to see what it does.

Question 36

Besides the cmdscan and consoles plugin to get command history, what is another way to obtain it?

Answer 36

Run memdump on the conhost process, make a strings file, and grep it for keywords found throughout the investigation to find context around the keywords.

Question 37

What processes do the cmdscan and consoles plugin get command data from?

Answer 37

Cmdscan through csrss.exe and consoles through conhost CONSOLE_INFORMATION. Consoles gets the command used and what was retrieved.

Question 38

Tools used to decompress pagefiles and their pros/cons.

Answer 38

winmem_decompress.py: simple, but used only for string and IOC searching.
win10memcompression.py: can use volatility plugins, but its slow.

Question 39

Can dumpfiles be an alternative to file carving?

Answer 39

Yes. It can get files that were running inside memory but there is no guarantee it will be uncorrupted. I can’t get prefetch or registry hives.

Question 40

Standalone live memory analysis tools and scaling list.

Answer 40

Get-InjectedThread, hollows_hunter, and Velociraptor.

Question 41

IOC tools used for scaling live memory

Answer 41

Openioc_scan and yarascan in Volatility, and page.brute.py for scaling live pagefiles.