SlideShare a Scribd company logo

Taking Hunting to the Next Level: Hunting in Memory

Download as PPTX, PDF
J
Joe Desimone

Survey of malware in-memory stealth techniques combined with new detection technique

Technology
1 of 33
June 12, 2017 Hunting In Memory Jared Atkinson, Joe Desimone
Who are we ▪ Jared Atkinson • Defensive Service Technical Director - Specter Ops • Microsoft Cloud and Datacenter Management MVP (PowerShell) • Lead Developer PowerForensics ▪ Joe Desimone • Senior Malware Researcher - Endgame • Developer, Hunter, Reverse Engineer
Overview ▪ Why hunting in memory is important ▪ Memory based attacker techniques ▪ Existing tools and approaches ▪ New powershell tool for hunting at scale
Importance of Memory Hunting ▪ Memory resident malware has been in use for over a decade, and is now ubiquitous ▪ Once a staple of ‘APT’; now commonplace for crimeware ▪ Designed to evade PSPs and YOU ▪ Great signal to noise ratio; easy button hunting
Attacker Techniques ▪ Classic memory/shellcode injection ▪ Reflective DLLs ▪ Memory Module ▪ Process and Module Hollowing ▪ PEB Unlinking ▪ Gargoyle (ROP/APCs)
Classic Injection ▪ OpenProcess - Grab handle to target process ▪ VirtualAllocEx - Allocate a new chunk of memory in targe ▪ WriteProcessMemory - Write the shellcode/payload into target ▪ CreateRemoteThread - Start a new thread to execute the payload
Classic Injection - Poison Ivy
Poison Ivy
Poison Ivy
Poison Ivy Thread
Reflective DLL Injection ▪ DLL that maps itself into memory - original design and code by Steven Fewer [1] ▪ Handy from attacker perspective - makes for a ‘dumb’ injector ▪ No longer have to code in assembly (like PI) ▪ Very common technique (ex: meterpreter, powershell empire) ▪ Allocate memory, map sections, resolve imports, fixup relocations, call entry [1] https://github.com/stephenfewer/ReflectiveDLLInjection
Meterpreter ▪ Classic DLL Reflection, such as meterpreter, is easy to find
Meterpreter
Memory Module ▪ Similar to Reflective technique, except loader does all the work [1] ▪ Payload DLL doesn’t need any special modifications ▪ Loader re-implements LoadLibrary(), but works on a buffer in memory ▪ Can map into local or remote process [2] ▪ Typical implementations avoid RWX [1] Memory Module - https://github.com/fancycode/MemoryModule [2] Manual Map - https://github.com/DarthTon/Blackbone
NetTraveler - Memory Layout ▪ Uses legitimate looking permissions
NetTraveler - Active Thread
Winnti - Memory Layout
Winnti - Header Wipe
Process Hollowing ▪ Create new, suspended process ▪ Allocate new memory, unmap (hollow) existing code ▪ Write payload ▪ Redirect execution - SetThreadContext() and ResumeThread() ▪ Stealthy variants • Create/Map sections to avoid WriteProcessMemory • Modify entry point instead of SetThreadContext
DarkComet - Process Hollowing
DarkComet
Module Overwriting ▪ Up until now, all examples have lead to non-image backed code executing ▪ Module Overwriting avoids this, making it more difficult to detect ▪ Flame and Careto are examples ▪ Map an unused module into target process ▪ Overwrite legitimate module with payload ▪ Odinaff had a similar trick but overwrote its own executable Image Credit: https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
Odinaff In Memory On Disk
PEB Unlinking ▪ Not an in memory technique, but rather an evasion ▪ Hide loaded DLL from security products, admins, hunters ▪ HackingTeam used this technique in their RAT ▪ Flame also unlinked shell32.dll ▪ To find peb unlinking, you could compare what the Win32 API reports as ‘loaded’ versus what you find is actually loaded with VirtualQuery/GetSectionName
Gargoyle ▪ Technique developed by Josh Lospinoso to hide injected code from security products ▪ Payload lies dormant, with read only permissions ▪ Periodically ‘wakes up.’ Sets payload executable with an asynchronous procedure call and ROP. Permissions reverted, cycle repeats. ▪ https://jlospinoso.github.io/security/assembly/c/cpp/developing/sof tware/2017/03/04/gargoyle-memory-analysis-evasion.html
Available Tools ▪ Volatility / malfind ▪ GRR ▪ Rekall ▪ inVtero
Detecting Injection w/ PowerShell
▪ PowerShell module written by Matt Graeber (@mattifestation) • https://github.com/mattifestation/PSReflect ▪ Avoids the compilation artifacts associated with P/Invoke • IMO the cleanest way to deal with Win32 API from PowerShell ▪ Library to abstract the complexities of calling Win32 functions via Reflection ▪ Intuitive “domain specific language” for defining enums, structs, and P/Invoke function signatures ▪ Must include PSReflect code in your scripts/modules PSReflect
▪ Built on PSReflect ▪ PowerShell function to identify injected threads via detection methodology: • Use Windows Toolhelp API to get all threads • Iterate through each thread • Identify the thread’s Base (Memory) Address • Query the memory page for which the Base Address belongs to • Check if the memory page’s state is MEM_COMMIT • Check if the memory page’s type is not MEM_IMAGE ▪ Returns details regarding offending process and thread • Check memory page permissions • Look for unnecessary privileges or integrity level • Identify abnormal user tokens Get-InjectedThread
▪ Injected Process Information • Process Id • Name • File Path (PEB and EPROCESS) • Command Line ▪ Thread Information • Thread Id • Unique Thread Token • Base Priority • Does thread have unique token? ▪ Memory Segment • Base Address • Size • Protection • State • Type • First 100 Bytes ▪ Token (Thread or Process) • Integrity Level • Enabled Privileges • SID / UserName • Logon Session Start Time • Logon Type • Authentication Package Get-InjectedThread Output
▪ Delivered as .zip file via Google Drive ▪ Zip archive contains one file • 2nd Myanmar Industrial Resource Development Symposium.exe • File has PowerPoint icon to trick users into opening ▪ Drops files upon execution • %USERPROFILE%<random>RealNetwork.exe (Legitimate Application) • %USERPROFILE%<random>main.dll (Loaded by MPAMedia.dll) • %USERPROFILE%<ramdom>mpapluginsMPAMedia.dll (DLL Side Loading) • Ppt ∙ Opened in PowerPoint to keep up the ruse Our Threat - 9002 Trojan http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/
Response ▪ Kill Thread • Stop-Thread • Built on Window’s TerminateThread API ▪ Process Minidump • Out-Minidump (PowerSploit) • https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1 ▪ Thread Dump • Dump-Thread
Questions?

Recommended

Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 

Recommended

Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Threat Hunting with Data Science
Threat Hunting with Data ScienceThreat Hunting with Data Science
Threat Hunting with Data ScienceAustin Taylor
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
CNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code AuditingCNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code AuditingSam Bowne
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys AdminsWill Schroeder
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the TorchWill Schroeder
 
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...Mauricio Velazco
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teamingn|u - The Open Security Community
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturityDNIF
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Frank Boldewin
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNoSuchCon
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware styleSander Demeester
 

More Related Content

What's hot

Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Threat Hunting with Data Science
Threat Hunting with Data ScienceThreat Hunting with Data Science
Threat Hunting with Data ScienceAustin Taylor
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
CNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code AuditingCNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code AuditingSam Bowne
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the TorchWill Schroeder
 
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...Mauricio Velazco
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturityDNIF
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Frank Boldewin
 

What's hot (20)

I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Threat Hunting with Data Science
Threat Hunting with Data ScienceThreat Hunting with Data Science
Threat Hunting with Data Science
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
CNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code AuditingCNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code Auditing
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
 
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturity
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
 
Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0
 

Similar to Taking Hunting to the Next Level: Hunting in Memory

NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNoSuchCon
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware styleSander Demeester
 
0x02 - Windows Privilege Esc - A Low Level Explanation of Token Theft
0x02 - Windows Privilege Esc - A Low Level Explanation of Token Theft0x02 - Windows Privilege Esc - A Low Level Explanation of Token Theft
0x02 - Windows Privilege Esc - A Low Level Explanation of Token TheftRussell Sanford
 
0x002 - Windows Priv Esc - A Low Level Explanation of Token Theft
0x002 - Windows Priv Esc - A Low Level Explanation of Token Theft0x002 - Windows Priv Esc - A Low Level Explanation of Token Theft
0x002 - Windows Priv Esc - A Low Level Explanation of Token TheftRussell Sanford
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 
Advanced windows debugging
Advanced windows debuggingAdvanced windows debugging
Advanced windows debuggingchrisortman
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisTakahiro Haruyama
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for PentestingMike Felch
 
Application Profiling for Memory and Performance
Application Profiling for Memory and PerformanceApplication Profiling for Memory and Performance
Application Profiling for Memory and PerformanceWSO2
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationzeroSteiner
 
C++ Programming and the Persistent Memory Developers Kit
C++ Programming and the Persistent Memory Developers KitC++ Programming and the Persistent Memory Developers Kit
C++ Programming and the Persistent Memory Developers KitIntel® Software
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
Application Profiling for Memory and Performance
Application Profiling for Memory and PerformanceApplication Profiling for Memory and Performance
Application Profiling for Memory and Performancepradeepfn
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureAndrew Petukhov
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2Royce Davis
 

Similar to Taking Hunting to the Next Level: Hunting in Memory (20)

NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware style
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
 
0x02 - Windows Privilege Esc - A Low Level Explanation of Token Theft
0x02 - Windows Privilege Esc - A Low Level Explanation of Token Theft0x02 - Windows Privilege Esc - A Low Level Explanation of Token Theft
0x02 - Windows Privilege Esc - A Low Level Explanation of Token Theft
 
0x002 - Windows Priv Esc - A Low Level Explanation of Token Theft
0x002 - Windows Priv Esc - A Low Level Explanation of Token Theft0x002 - Windows Priv Esc - A Low Level Explanation of Token Theft
0x002 - Windows Priv Esc - A Low Level Explanation of Token Theft
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 
Advanced windows debugging
Advanced windows debuggingAdvanced windows debugging
Advanced windows debugging
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic Analysis
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
 
Application Profiling for Memory and Performance
Application Profiling for Memory and PerformanceApplication Profiling for Memory and Performance
Application Profiling for Memory and Performance
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel Exploitation
 
C++ Programming and the Persistent Memory Developers Kit
C++ Programming and the Persistent Memory Developers KitC++ Programming and the Persistent Memory Developers Kit
C++ Programming and the Persistent Memory Developers Kit
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
Application Profiling for Memory and Performance
Application Profiling for Memory and PerformanceApplication Profiling for Memory and Performance
Application Profiling for Memory and Performance
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructure
 
JavaScript Event Loop
JavaScript Event LoopJavaScript Event Loop
JavaScript Event Loop
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
 

Recently uploaded

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 

Taking Hunting to the Next Level: Hunting in Memory

  • 1. June 12, 2017 Hunting In Memory Jared Atkinson, Joe Desimone
  • 2. Who are we ▪ Jared Atkinson • Defensive Service Technical Director - Specter Ops • Microsoft Cloud and Datacenter Management MVP (PowerShell) • Lead Developer PowerForensics ▪ Joe Desimone • Senior Malware Researcher - Endgame • Developer, Hunter, Reverse Engineer
  • 3. Overview ▪ Why hunting in memory is important ▪ Memory based attacker techniques ▪ Existing tools and approaches ▪ New powershell tool for hunting at scale
  • 4. Importance of Memory Hunting ▪ Memory resident malware has been in use for over a decade, and is now ubiquitous ▪ Once a staple of ‘APT’; now commonplace for crimeware ▪ Designed to evade PSPs and YOU ▪ Great signal to noise ratio; easy button hunting
  • 5. Attacker Techniques ▪ Classic memory/shellcode injection ▪ Reflective DLLs ▪ Memory Module ▪ Process and Module Hollowing ▪ PEB Unlinking ▪ Gargoyle (ROP/APCs)
  • 6. Classic Injection ▪ OpenProcess - Grab handle to target process ▪ VirtualAllocEx - Allocate a new chunk of memory in targe ▪ WriteProcessMemory - Write the shellcode/payload into target ▪ CreateRemoteThread - Start a new thread to execute the payload
  • 7. Classic Injection - Poison Ivy
  • 11. Reflective DLL Injection ▪ DLL that maps itself into memory - original design and code by Steven Fewer [1] ▪ Handy from attacker perspective - makes for a ‘dumb’ injector ▪ No longer have to code in assembly (like PI) ▪ Very common technique (ex: meterpreter, powershell empire) ▪ Allocate memory, map sections, resolve imports, fixup relocations, call entry [1] https://github.com/stephenfewer/ReflectiveDLLInjection
  • 12. Meterpreter ▪ Classic DLL Reflection, such as meterpreter, is easy to find
  • 14. Memory Module ▪ Similar to Reflective technique, except loader does all the work [1] ▪ Payload DLL doesn’t need any special modifications ▪ Loader re-implements LoadLibrary(), but works on a buffer in memory ▪ Can map into local or remote process [2] ▪ Typical implementations avoid RWX [1] Memory Module - https://github.com/fancycode/MemoryModule [2] Manual Map - https://github.com/DarthTon/Blackbone
  • 15. NetTraveler - Memory Layout ▪ Uses legitimate looking permissions
  • 17. Winnti - Memory Layout
  • 19. Process Hollowing ▪ Create new, suspended process ▪ Allocate new memory, unmap (hollow) existing code ▪ Write payload ▪ Redirect execution - SetThreadContext() and ResumeThread() ▪ Stealthy variants • Create/Map sections to avoid WriteProcessMemory • Modify entry point instead of SetThreadContext
  • 20. DarkComet - Process Hollowing
  • 22. Module Overwriting ▪ Up until now, all examples have lead to non-image backed code executing ▪ Module Overwriting avoids this, making it more difficult to detect ▪ Flame and Careto are examples ▪ Map an unused module into target process ▪ Overwrite legitimate module with payload ▪ Odinaff had a similar trick but overwrote its own executable Image Credit: https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
  • 24. PEB Unlinking ▪ Not an in memory technique, but rather an evasion ▪ Hide loaded DLL from security products, admins, hunters ▪ HackingTeam used this technique in their RAT ▪ Flame also unlinked shell32.dll ▪ To find peb unlinking, you could compare what the Win32 API reports as ‘loaded’ versus what you find is actually loaded with VirtualQuery/GetSectionName
  • 25. Gargoyle ▪ Technique developed by Josh Lospinoso to hide injected code from security products ▪ Payload lies dormant, with read only permissions ▪ Periodically ‘wakes up.’ Sets payload executable with an asynchronous procedure call and ROP. Permissions reverted, cycle repeats. ▪ https://jlospinoso.github.io/security/assembly/c/cpp/developing/sof tware/2017/03/04/gargoyle-memory-analysis-evasion.html
  • 26. Available Tools ▪ Volatility / malfind ▪ GRR ▪ Rekall ▪ inVtero
  • 28. ▪ PowerShell module written by Matt Graeber (@mattifestation) • https://github.com/mattifestation/PSReflect ▪ Avoids the compilation artifacts associated with P/Invoke • IMO the cleanest way to deal with Win32 API from PowerShell ▪ Library to abstract the complexities of calling Win32 functions via Reflection ▪ Intuitive “domain specific language” for defining enums, structs, and P/Invoke function signatures ▪ Must include PSReflect code in your scripts/modules PSReflect
  • 29. ▪ Built on PSReflect ▪ PowerShell function to identify injected threads via detection methodology: • Use Windows Toolhelp API to get all threads • Iterate through each thread • Identify the thread’s Base (Memory) Address • Query the memory page for which the Base Address belongs to • Check if the memory page’s state is MEM_COMMIT • Check if the memory page’s type is not MEM_IMAGE ▪ Returns details regarding offending process and thread • Check memory page permissions • Look for unnecessary privileges or integrity level • Identify abnormal user tokens Get-InjectedThread
  • 30. ▪ Injected Process Information • Process Id • Name • File Path (PEB and EPROCESS) • Command Line ▪ Thread Information • Thread Id • Unique Thread Token • Base Priority • Does thread have unique token? ▪ Memory Segment • Base Address • Size • Protection • State • Type • First 100 Bytes ▪ Token (Thread or Process) • Integrity Level • Enabled Privileges • SID / UserName • Logon Session Start Time • Logon Type • Authentication Package Get-InjectedThread Output
  • 31. ▪ Delivered as .zip file via Google Drive ▪ Zip archive contains one file • 2nd Myanmar Industrial Resource Development Symposium.exe • File has PowerPoint icon to trick users into opening ▪ Drops files upon execution • %USERPROFILE%<random>RealNetwork.exe (Legitimate Application) • %USERPROFILE%<random>main.dll (Loaded by MPAMedia.dll) • %USERPROFILE%<ramdom>mpapluginsMPAMedia.dll (DLL Side Loading) • Ppt ∙ Opened in PowerPoint to keep up the ruse Our Threat - 9002 Trojan http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/
  • 32. Response ▪ Kill Thread • Stop-Thread • Built on Window’s TerminateThread API ▪ Process Minidump • Out-Minidump (PowerSploit) • https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1 ▪ Thread Dump • Dump-Thread