Section 3.5: Injection, Rootkits, & Extraction Flashcards

1
Q

Why adversaries use code injection?

A

It serves as a camo, it gets access to the process’s memory sections and permissions, it gives them a chance to migrate, it evades A/V since its not stored inside disk, and it assists with more complex attacks like rootkits.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Why would adversary migrate from one process to another?

A

The process they may have exploited can be turned off by the user (say Internet Explorer). They will want to move to a more persistent process like svchost or another that always remains.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What was the emotet malware?

A

Code injection that focuses on browser processes to gain access to stored credentials.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Name three types of code injection

A

DLL injection, reflective, and process hollowing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Describe process hollowing

A

Malware starts a suspended instance of a legit process. It then deallocates the original process code and its replaced with malware. It can retain original process objects. Since this bad code is not backed inside disk, its called hollowing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Describe reflective injection

A

Malware creates its own LoadLibrary() therefore bypassing API functions used for security, resulting in code running that isn’t present in the process host lists or on system disk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Can Powershell do code injection?

A

Yes! Code injection and reflective.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Explain a simple code injection procedure.

A

Adversary has admin rights to debug process. They use the API function OpenProcess () to attach attacker process to victim process. The attack process allocates [VirtualAllocEx()] memory on the victim and adds malware DLL path [WriteProcessMemory()]. [CreateRemoteThread()] is added along with [LoadLibrary()] in order to load DLL to process from disk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Why does Mimikatz depend on API functions NTCreateThreadEx and RtlCreateUserThread?

A

Because modern systems process run in sessions isolated from user processes and this bypasses this hurdle.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Name the three lists that run PEB

A

InLoadOrderModule list, InInitializationOrderModule list (no exe present), and InMemoryOrderModule list.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

The code injection plugins

A

Ldrmodules, malfind, hollowfind, & threadmap

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How does ldrmodules gathers its data sources?

A

It compares the PEB lists with the VAD tree and memory sections to see if they are true.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Name an executable that will not be present inside the InInitializationOrderModule list?

A

Lsass.exe

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Three indicators that prove there is reflective code injection inside the memory sections when using the malfind plugin.

A

Memory sections marked as “Page_Execute_ReadWrite”, no mapped path, and section has PE (MZ) file or shellcode. There should be no executable presence inside the memory sections if there is no code there (only disk).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What command does “run vnc” by Metasploit do once the adversary injectes a RAT tool inside a victim’s process?

A

It injects a VNC remote desktop DLL on victim’s system and opens up a VNC session. Use grep -b4 MZ on malfind to find processes related before to the injected code.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

If no MZ header is found when using malfind, what is another method to identify if there is code present inside a process?

A

Look for assembly code words such as: MOV, EBP, ESP, & and PUSH.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

How many bytes does malfind plugin display when run?

A

64 bytes out of 4096+ bytes. It is necessary to dump the memory section to fully review and see if code is being pushed further down to avoid visibility.

18
Q

What is hooking?

A

Code detour. Malicious process or driver redirects the logical code flow in order to manipulate I/O.

19
Q

Name the four locations rootkits can do hooking.

A

System Service Descriptor Table (SSDT: Kernel), Interrupt Descriptor Table (IDT: Kernel), Import Address Table (IAT: user), I/O Request Packets (IRP: Drivers).

20
Q

How can I find IAT hooks if its user based?

A

By using the plugin apihooks.

21
Q

What kernels and drivers need to be filtered out when searching malicious hooks inside the SSDT?

A

ntoskrnl.exe kernels and win32k.sys drivers.

22
Q

Plugins to detect rootkit activity

A

Ssdt, apihooks, psxview, modscan, driverirp,& idt.

23
Q

What does NTEnumerateKey, NTEnumerateValueKey, and NTQueryDirectoryFile do?

A

It hides registry keys, key values, files, and directories. Malware interacts with these objects while hiding itself.

24
Q

Is DKOM changes written on disk?

A

No, the kernel object changes are manipulated through memory.

25
Q

Name a few rootkit cases to research.

A

FU, Myfip, H worm, Fanbot.A worm, and Prolaco

26
Q

Two processes that will mark false on psxview

A

Smss.exe and csrss.exe

27
Q

Plugin to retrieve active drivers and plugin to receive them in tree format.

A

Modules & devicetree

28
Q

Upon finding a malicious driver, what can I do as an analyst?

A

Look for the hooks related to it first then go for everything else like objects, process, etc.

29
Q

Apihook indicators that can be suspicious on a running process

A

HTTPQueryInfo, unknown, GetClipboardData, HTTPSendRequest.

30
Q

What does the hooking module field marking unknown indicate in apihooks?

A

That the process is not mapping to anything on disk so its injected.

31
Q

Plugins to extract processesz drivers and objects

A

Dlldump, moddump, procdump, memdump, cmdscan, consoles, dumpfiles, filescan, & shimcachemem.

32
Q

Say I found malicious hooks during SSDT scan, how can I dump it for reverse engineering?

A

After finding hooks, look for the driver using modules or modscan. Get the offset and run moddump.

33
Q

What does memdump dump? What is it good for?

A

The executable code of the process being dumped as well as any loaded DLLs, memory-mapped files, and kernel memory pages. It can be used for file carving domains, IP addresses, passwords, and user-typed data.

34
Q

What is strings/bstrings (Windows) tool used for?

A

It extracts English ASCII & Unicode strings from a data stream and creates a file. It can be good for looking for strings of evidence such as username, IP addresses, domains, passwords, etc. Once a hit is found, look at other info around it to find context as to what is going on. Its useful on memdump and other places too.

35
Q

What are some purposes in using the grep command?

A

To locate certain words. In memdump, use it by adding the keywords founded in memory investigations. Say a process called linsniffer was found, I can dump its memory sections by memdump, create a strings file, and grep the word linsniffer to see what it does.

36
Q

Besides the cmdscan and consoles plugin to get command history, what is another way to obtain it?

A

Run memdump on the conhost process, make a strings file, and grep it for keywords found throughout the investigation to find context around the keywords.

37
Q

What processes do the cmdscan and consoles plugin get command data from?

A

Cmdscan through csrss.exe and consoles through conhost CONSOLE_INFORMATION. Consoles gets the command used and what was retrieved.

38
Q

Tools used to decompress pagefiles and their pros/cons.

A

winmem_decompress.py: simple, but used only for string and IOC searching.
win10memcompression.py: can use volatility plugins, but its slow.

39
Q

Can dumpfiles be an alternative to file carving?

A

Yes. It can get files that were running inside memory but there is no guarantee it will be uncorrupted. I can’t get prefetch or registry hives.

40
Q

Standalone live memory analysis tools and scaling list.

A

Get-InjectedThread, hollows_hunter, and Velociraptor.

41
Q

IOC tools used for scaling live memory

A

Openioc_scan and yarascan in Volatility, and page.brute.py for scaling live pagefiles.