进程注入检测
DLL注入检测的几种方式:1、命令行,包含某些特定注入工具的关键字 2、排除白名单的可疑注入 3、可疑的DLL加载 4、特定工具注入的startaddress异常
以下内容来自CAR和splunk等开源检测渠道:
title: CobaltStrike Process Injection
id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42
description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
references:
- https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
- https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/
tags:
- attack.defense_evasion
- attack.t1055.001
status: experimental
author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community
date: 2018/11/30
modified: 2021/11/20
logsource:
product: windows
category: create_remote_thread
detection:
selection:
StartAddress|endswith:
- '0B80'
- '0C7C'
- '0C88'==》检测start address
condition: selection
falsepositives:
- Unknown
level: high
title: CreateRemoteThread API and LoadLibrary
id: 052ec6f6-1adc-41e6-907a-f1c813478bee
status: test
description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html
date: 2019/08/11
modified: 2021/11/27
logsource:
product: windows
category: create_remote_thread
detection:
selection:
StartModule|endswith: '\kernel32.dll'
StartFunction: 'LoadLibraryA' ==》检测可疑的DLL加载
condition: selection
falsepositives:
- Unknown
level: critical
tags:
- attack.defense_evasion
- attack.t1055.001
title: Suspicious In-Memory Module Execution
id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39
description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.
status: experimental
date: 2019/10/27
modified: 2022/03/16
author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro
references:
- https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/
tags:
- attack.privilege_escalation
- attack.defense_evasion
- attack.t1055.001
- attack.t1055.002
logsource:
category: process_access
product: windows
detection:
selection1:
CallTrace|contains|all:
- 'C:\WINDOWS\SYSTEM32\ntdll.dll+'
- '|C:\WINDOWS\System32\KERNELBASE.dll+'
- '|UNKNOWN('
- ')'
selection2:
CallTrace|contains|all:
- 'UNKNOWN('
- ')|UNKNOWN('
CallTrace|endswith: ')'
selection3:
CallTrace|contains: 'UNKNOWN'
GrantedAccess:
- '0x1F0FFF'
- '0x1F1FFF'
- '0x143A'
- '0x1410'
- '0x1010'
- '0x1F2FFF'
- '0x1F3FFF'
- '0x1FFFFF'
filter:
- SourceImage|endswith: ==》直接排除白名单,不在白名单内的就是可疑的进程注入,这个应该就是我想要的
- '\Windows\System32\sdiagnhost.exe'
- '\procexp64.exe'
- '\procexp.exe'
- '\Microsoft VS Code\Code.exe'
- '\aurora-agent-64.exe'
- '\aurora-agent.exe'
- '\git\usr\bin\sh.exe'
- '\IDE\devenv.exe'
- '\GitHubDesktop\Update.exe'
- '\RuntimeBroker.exe'
- '\backgroundTaskHost.exe'
- '\GitHubDesktop.exe'
- SourceImage|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\Microsoft.NET\Framework\\*\NGenTask.exe'
- 'C:\Program Files (x86)\Microsoft Visual Studio\'
- 'C:\Program Files\Microsoft Visual Studio\'
- 'C:\Windows\Microsoft.NET\Framework'
- 'C:\WINDOWS\System32\DriverStore\'
- 'C:\Windows\System32\WindowsPowerShell\'
- SourceImage:
- 'C:\Users\\*\AppData\Local\Programs\Microsoft VS Code\Code.exe'
- 'C:\WINDOWS\system32\taskhostw.exe'
- 'C:\WINDOWS\system32\ctfmon.exe'
- 'C:\WINDOWS\system32\NhNotifSys.exe'
- 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
- 'C:\Windows\explorer.exe'
- TargetImage: 'C:\Windows\System32\RuntimeBroker.exe'
- TargetImage|endswith: '\Microsoft VS Code\Code.exe'
- CallTrace|contains: '|C:\WINDOWS\System32\RPCRT4.dll+' # attempt to save the rule with a broader filter
filter_set_1:
SourceImage:
- 'C:\WINDOWS\Explorer.EXE'
TargetImage:
- 'C:\WINDOWS\system32\backgroundTaskHost.exe'
- 'C:\WINDOWS\explorer.exe'
filter_msmpeng:
SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
SourceImage|endswith: '\MsMpEng.exe'
filter_eclipse:
SourceImage|endswith: '\eclipse.exe'
CallTrace|contains:
- '\jre\bin\java.dll'
- '|C:\Windows\SYSTEM32\windows.storage.dll+'
- '\configuration\org.eclipse.osgi\'
filter_openwith:
SourceImage: 'C:\Windows\system32\OpenWith.exe'
TargetImage: 'C:\Windows\Explorer.EXE'
condition: ( selection1 or selection2 or selection3 ) and not 1 of filter*
fields:
- ComputerName
- User
- SourceImage
- TargetImage
- CallTrace
level: low # too many false positives, really sad, but the amount of false positives with all kinds of software is just too high
falsepositives:
- SysInternals Process Explorer
title: TAIDOOR RAT DLL Load
id: d1aa3382-abab-446f-96ea-4de52908210b
status: test
description: Detects specific process characteristics of Chinese TAIDOOR RAT malware load
author: Florian Roth
references:
- https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a
date: 2020/07/30
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains:
- 'dll,MyStart'
- 'dll MyStart'
selection2a:
CommandLine|endswith:
- ' MyStart'
selection2b:
CommandLine|contains:
- 'rundll32.exe' ==》就是rundll32啊,和进程注入有啥关系。。。呃。。。
condition: selection1 or ( selection2a and selection2b )
falsepositives:
- Unknown
level: critical
tags:
- attack.execution
- attack.t1055.001
title: MavInject Process Injection
id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8
status: stable
description: Detects process injection using the signed Windows tool Mavinject32.exe
author: Florian Roth
references:
- https://twitter.com/gN3mes1s/status/941315826107510784
- https://reaqta.com/2017/12/mavinject-microsoft-injector/
- https://twitter.com/Hexacorn/status/776122138063409152
date: 2018/12/12
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: ' /INJECTRUNNING ' ==》检测特定进程命令行
condition: selection
falsepositives:
- Unknown
level: critical
tags:
- attack.t1055.001
- attack.t1218
title: ZOHO Dctask64 Process Injection
id: 6345b048-8441-43a7-9bed-541133633d7a
status: test
description: Detects suspicious process injection using ZOHO's dctask64.exe
author: Florian Roth
references:
- https://twitter.com/gN3mes1s/status/1222088214581825540
- https://twitter.com/gN3mes1s/status/1222095963789111296
- https://twitter.com/gN3mes1s/status/1222095371175911424
date: 2020/01/28
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\dctask64.exe' ==》检测特定注入工具的进程名是一类
filter:
CommandLine|contains:
- 'DesktopCentral_Agent\agent'
condition: selection and not filter
fields:
- CommandLine
- ParentCommandLine
- ParentImage
falsepositives:
- Unknown yet
level: high
tags:
- attack.defense_evasion
- attack.t1055.001
implementations:
- description: 'Search for remote thread creations that start at LoadLibraryA or LoadLibraryW. Depending on the tool, it may provide additional information about the DLL string that is an argument to the function. If there is any security software that legitimately injects DLLs, it must be carefully whitelisted. '
code: |
remote_thread = search Thread:RemoteCreate
remote_thread = filter (start_function == "LoadLibraryA" or start_function == "LoadLibraryW")
remote_thread = filter (src_image_path != "C:\Path\To\TrustedProgram.exe")
output remote_thread
type: pseudocode
- description: LogPoint version of the above pseudocode.
code: |
norm_id=WindowsSysmon event_id=8 start_function IN ["LoadLibraryA", "LoadLibraryW"] -source_image="C:\Path\To\TrustedProgram.exe"
type: LogPoint
data_model: LogPoint native
title: DLL Injection with Mavinject
submission_date: 2020/11/30
information_domain: Host
platforms:
- Windows
subtypes:
- Process
analytic_types:
- TTP
contributors:
- Olaf Hartong
id: CAR-2020-11-003
description: |
Injecting a malicious DLL into a process is a common adversary TTP. Although the ways of doing this are numerous, mavinject.exe is a commonly used tool for doing so because it roles up many of the necessary steps into one, and is available within Windows. Attackers may rename the executable, so we also use the common argument "INJECTRUNNING" as a related signature here. Whitelisting certain applications may be necessary to reduce noise for this analytic.
coverage:
- technique: T1055
tactics:
- TA0004
- TA0005
subtechniques:
- T1055.001
coverage: Low
implementations:
- name: Pseudocode - mavinject process and its common argument
description: This is a pseudocode representation of the below splunk search.
code: |
processes = search Process:Create
mavinject_processes = filter processes where (
exe = "C:\\Windows\\SysWOW64\\mavinject.exe" OR Image="C:\\Windows\\System32\\mavinject.exe" OR command_line = "*/INJECTRUNNING*" ==》命令行
output mavinject_processes
description: DynamicWrapperX is an ActiveX component that can be used in a script
to call Windows API functions, but it requires the dynwrapx.dll to be installed
and registered. With that, registering or loading dynwrapx.dll to a host is highly
suspicious. In most instances when it is used maliciously, the best way to triage
is to review parallel processes and pivot on the process_guid. Review the registry
for any suspicious modifications meant to load dynwrapx.dll. Identify any suspicious
module loads of dynwrapx.dll. This detection will return and identify the processes
that invoke vbs/wscript/cscript.
search: '`sysmon` EventCode=7 (ImageLoaded = "*\\dynwrapx.dll" OR OriginalFileName
= "dynwrapx.dll" OR Product = "DynamicWrapperX") | stats count min(_time) as firstTime
max(_time) as lastTime by Image ImageLoaded OriginalFileName Product process_name
Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ==》检测加载的DLL名字
| `loading_of_dynwrapx_module_filter`'
how_to_implement: To successfully implement this search you need to be ingesting information
on processes that include the name of the process responsible for the changes from
your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem`
node. In addition, confirm the latest CIM App 4.20 or higher is installed and the
latest TA for the endpoint product.
description: |
Microsoft Windows allows for processes to remotely create threads within other processes of the same privilege level. This functionality is provided via the Windows API [CreateRemoteThread](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682437.aspx). Both Windows and third-party software use this ability for legitimate purposes. For example, the Windows process [csrss.exe](https://en.wikipedia.org/wiki/Client/Server_Runtime_Subsystem) creates threads in programs to send signals to registered callback routines. Both adversaries and host-based security software use this functionality to [inject DLLs](https://attack.mitre.org/techniques/T1055), but for very different purposes. An adversary is likely to inject into a program to [evade defenses](https://attack.mitre.org/tactics/TA0005) or [bypass User Account Control](https://attack.mitre.org/techniques/T1548/002), but a security program might do this to gain increased monitoring of API calls. One of the most common methods of [DLL Injection](https://attack.mitre.org/techniques/T1055) is through the Windows API [LoadLibrary](https://msdn.microsoft.com/en-us/library/windows/desktop/ms684175.aspx).
- Allocate memory in the target program with [VirtualAllocEx](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366890.aspx)
- Write the name of the DLL to inject into this program with [WriteProcessMemory](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674.aspx)
- Create a new thread and set its entry point to [LoadLibrary](https://msdn.microsoft.com/en-us/library/windows/desktop/ms684175.aspx) using the API [CreateRemoteThread](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682437.aspx).
This behavior can be detected by looking for thread creations across processes, and resolving the entry point to determine the function name. If the function is `LoadLibraryA` or `LoadLibraryW`, then the intent of the remote thread is clearly to inject a DLL. When this is the case, the source process must be examined so that it can be ignored when it is both expected and a trusted process.
coverage:
- technique: T1055
tactics:
- TA0005
subtechniques:
- T1055.001
coverage: Moderate
- technique: T1548
tactics:
- TA0004
subtechniques:
- T1548.002
coverage: Moderate
implementations:
- description: 'Search for remote thread creations that start at LoadLibraryA or LoadLibraryW. Depending on the tool, it may provide additional information about the DLL string that is an argument to the function. If there is any security software that legitimately injects DLLs, it must be carefully whitelisted. '
code: |
remote_thread = search Thread:RemoteCreate
remote_thread = filter (start_function == "LoadLibraryA" or start_function == "LoadLibraryW")
remote_thread = filter (src_image_path != "C:\Path\To\TrustedProgram.exe") ==》同样是排除白名单的loadlibrary