Attackers may use malicious DLL to run in the context of another process for various intent like privilege escalation ,defence evasion etc.DLL injection is a technique used for running code within the address space of another process by forcing it to load a dynamic-link library. DLL injection is often used by external programs to influence the behavior of another program in a way its authors did not anticipate or intend.
The purpose of the blog is to demonstrate how the process flow looks on an attackers standpoint with the help of open source pentesting tools and from where it is possible for a defender to start analysis on the post exploitation attacker activity.
The images shown below shows details of commands related to msfvenom to create a dll to spawn a shell towards attacker machine on port 5555
The actions mentioned below are performed on the machine belonging to the victim.The Webserver created on the attacker system using python on port 8080 is accessed to download the malicious dll created.Then the Dll is injected into notepad process using powersploit.The command used on this case is Invoke-Dllinjection.On successfull exploitation the victim system contacts the attacker environment with shell access on port 5555
On a Attacker vs defender standpoint -
Did you note how many known malicious behavior we have seen during this entire chain ?
Attacker : 1 - creating malicious. DLL using MSF venom,attacker creating a webserver and listner
Defender : out of the radar
Attacker :Attacker accessing url with browser to download malicious dll
Defender : Yes network connection might be captured , A file may be present in the filesystem however these are all usual events and will be sinked in ocean of data defender have to deal with. A chance of signature based detection may point at malicious dll and quarantine at some cases
Attacker :Attacker might have disabled execution policy in powershell ,module of powersploit has been loaded,Invoke DLL has been used to create a session with attacker system
Defender : A definite indicator is found here starting from powersploit module. is being loaded and commands executed in the system memory , injection of dll is done in the genuine windows process ,may be some persistence using task schduler,anomalous tcp session on port 5555,beaconing towards the attacker machine
Now from the known bad behavior the defender can pivot through all the indicators and collect all traces attacker has left during this attack cycle.
Detection
data sources:
- API monitoring
- Windows Registry
- File monitoring
- DLL monitoring
- Process monitoring
- Named Pipes
Process monitoring
Process monitoring is a minimum requirement for reliably detecting Injection. Even though injection can be invisible to some forms of process monitoring, the effects of the injection can become harder to miss once you compare process behaviors against expected functionality.Generally on windows system integrity native windows process is a top candidate to monitor for spawning high or system integrity application or making abnormal filesystem,registry,network & memory activities
API monitoring
monitor API system calls that include CreateRemoteThread. This will indicate a process is using the Windows API to inject code into another process.
Registry monitoring : Look for persistence due to modification in registry
File monitoring,DLL monitoring,Named Pipes, there are no direct indicator to write at this point however it have to be correlated with other known bad behaviors
No comments:
Post a Comment