进程注入检测——DLL注入检测的几种方式：1、命令行，包含某些特定注入工具的关键字 2、排除白名单的可疑注入 3、可疑的DLL加载 4、特定工具注入的startaddress异常-526互联

进程注入检测

DLL注入检测的几种方式：1、命令行，包含某些特定注入工具的关键字 2、排除白名单的可疑注入 3、可疑的DLL加载 4、特定工具注入的startaddress异常

以下内容来自CAR和splunk等开源检测渠道：

title: CobaltStrike Process Injection

id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42

description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons

references:

- https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f

- https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/

tags:

- attack.defense_evasion

- attack.t1055.001

status: experimental

author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community

date: 2018/11/30

modified: 2021/11/20

logsource:

product: windows

category: create_remote_thread

detection:

selection:

StartAddress|endswith:

- '0B80'

- '0C7C'

- '0C88'==》检测start address

condition: selection

falsepositives:

- Unknown

level: high

title: CreateRemoteThread API and LoadLibrary

id: 052ec6f6-1adc-41e6-907a-f1c813478bee

status: test

description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process

author: Roberto Rodriguez @Cyb3rWard0g

references:

- https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html

date: 2019/08/11

modified: 2021/11/27

logsource:

product: windows

category: create_remote_thread

detection:

selection:

StartModule|endswith: '\kernel32.dll'

StartFunction: 'LoadLibraryA' ==》检测可疑的DLL加载

condition: selection

falsepositives:

- Unknown

level: critical

tags:

- attack.defense_evasion

- attack.t1055.001

title: Suspicious In-Memory Module Execution

id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39

description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.

status: experimental

date: 2019/10/27

modified: 2022/03/16

author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro

references:

- https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/

tags:

- attack.privilege_escalation

- attack.defense_evasion

- attack.t1055.001

- attack.t1055.002

logsource:

category: process_access

product: windows

detection:

selection1:

CallTrace|contains|all:

- 'C:\WINDOWS\SYSTEM32\ntdll.dll+'

- '|C:\WINDOWS\System32\KERNELBASE.dll+'

- '|UNKNOWN('

- ')'

selection2:

CallTrace|contains|all:

- 'UNKNOWN('

- ')|UNKNOWN('

CallTrace|endswith: ')'

selection3:

CallTrace|contains: 'UNKNOWN'

GrantedAccess:

- '0x1F0FFF'

- '0x1F1FFF'

- '0x143A'

- '0x1410'

- '0x1010'

- '0x1F2FFF'

- '0x1F3FFF'

- '0x1FFFFF'

filter:

- SourceImage|endswith: ==》直接排除白名单，不在白名单内的就是可疑的进程注入，这个应该就是我想要的

- '\Windows\System32\sdiagnhost.exe'

- '\procexp64.exe'

- '\procexp.exe'

- '\Microsoft VS Code\Code.exe'

- '\aurora-agent-64.exe'

- '\aurora-agent.exe'

- '\git\usr\bin\sh.exe'

- '\IDE\devenv.exe'

- '\GitHubDesktop\Update.exe'

- '\RuntimeBroker.exe'

- '\backgroundTaskHost.exe'

- '\GitHubDesktop.exe'

- SourceImage|startswith:

- 'C:\Program Files (x86)\'

- 'C:\Program Files\'

- 'C:\Windows\Microsoft.NET\Framework\\*\NGenTask.exe'

- 'C:\Program Files (x86)\Microsoft Visual Studio\'

- 'C:\Program Files\Microsoft Visual Studio\'

- 'C:\Windows\Microsoft.NET\Framework'

- 'C:\WINDOWS\System32\DriverStore\'

- 'C:\Windows\System32\WindowsPowerShell\'

- SourceImage:

- 'C:\Users\\*\AppData\Local\Programs\Microsoft VS Code\Code.exe'

- 'C:\WINDOWS\system32\taskhostw.exe'

- 'C:\WINDOWS\system32\ctfmon.exe'

- 'C:\WINDOWS\system32\NhNotifSys.exe'

- 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'

- 'C:\Windows\explorer.exe'

- TargetImage: 'C:\Windows\System32\RuntimeBroker.exe'

- TargetImage|endswith: '\Microsoft VS Code\Code.exe'

- CallTrace|contains: '|C:\WINDOWS\System32\RPCRT4.dll+' # attempt to save the rule with a broader filter

filter_set_1:

SourceImage:

- 'C:\WINDOWS\Explorer.EXE'

TargetImage:

- 'C:\WINDOWS\system32\backgroundTaskHost.exe'

- 'C:\WINDOWS\explorer.exe'

filter_msmpeng:

SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'

SourceImage|endswith: '\MsMpEng.exe'

filter_eclipse:

SourceImage|endswith: '\eclipse.exe'

CallTrace|contains:

- '\jre\bin\java.dll'

- '|C:\Windows\SYSTEM32\windows.storage.dll+'

- '\configuration\org.eclipse.osgi\'

filter_openwith:

SourceImage: 'C:\Windows\system32\OpenWith.exe'

TargetImage: 'C:\Windows\Explorer.EXE'

condition: ( selection1 or selection2 or selection3 ) and not 1 of filter*

fields:

- ComputerName

- User

- SourceImage

- TargetImage

- CallTrace

level: low # too many false positives, really sad, but the amount of false positives with all kinds of software is just too high

falsepositives:

- SysInternals Process Explorer

title: TAIDOOR RAT DLL Load

id: d1aa3382-abab-446f-96ea-4de52908210b

status: test

description: Detects specific process characteristics of Chinese TAIDOOR RAT malware load

author: Florian Roth

references:

- https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a

date: 2020/07/30

modified: 2021/11/27

logsource:

category: process_creation

product: windows

detection:

selection1:

CommandLine|contains:

- 'dll,MyStart'

- 'dll MyStart'

selection2a:

CommandLine|endswith:

- ' MyStart'

selection2b:

CommandLine|contains:

- 'rundll32.exe' ==》就是rundll32啊，和进程注入有啥关系。。。呃。。。

condition: selection1 or ( selection2a and selection2b )

falsepositives:

- Unknown

level: critical

tags:

- attack.execution

- attack.t1055.001

title: MavInject Process Injection

id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8

status: stable

description: Detects process injection using the signed Windows tool Mavinject32.exe

author: Florian Roth

references:

- https://twitter.com/gN3mes1s/status/941315826107510784

- https://reaqta.com/2017/12/mavinject-microsoft-injector/

- https://twitter.com/Hexacorn/status/776122138063409152

date: 2018/12/12

modified: 2021/11/27

logsource:

category: process_creation

product: windows

detection:

selection:

CommandLine|contains: ' /INJECTRUNNING ' ==》检测特定进程命令行

condition: selection

falsepositives:

- Unknown

level: critical

tags:

- attack.t1055.001

- attack.t1218

title: ZOHO Dctask64 Process Injection

id: 6345b048-8441-43a7-9bed-541133633d7a

status: test

description: Detects suspicious process injection using ZOHO's dctask64.exe

author: Florian Roth

references:

- https://twitter.com/gN3mes1s/status/1222088214581825540

- https://twitter.com/gN3mes1s/status/1222095963789111296

- https://twitter.com/gN3mes1s/status/1222095371175911424

date: 2020/01/28

modified: 2021/11/27

logsource:

category: process_creation

product: windows

detection:

selection:

Image|endswith:

- '\dctask64.exe' ==》检测特定注入工具的进程名是一类

filter:

CommandLine|contains:

- 'DesktopCentral_Agent\agent'

condition: selection and not filter

fields:

- CommandLine

- ParentCommandLine

- ParentImage

falsepositives:

- Unknown yet

level: high

tags:

- attack.defense_evasion

- attack.t1055.001

implementations:

- description: 'Search for remote thread creations that start at LoadLibraryA or LoadLibraryW. Depending on the tool, it may provide additional information about the DLL string that is an argument to the function. If there is any security software that legitimately injects DLLs, it must be carefully whitelisted. '

code: |

remote_thread = search Thread:RemoteCreate

remote_thread = filter (start_function == "LoadLibraryA" or start_function == "LoadLibraryW")

remote_thread = filter (src_image_path != "C:\Path\To\TrustedProgram.exe")

output remote_thread

type: pseudocode

- description: LogPoint version of the above pseudocode.

code: |

norm_id=WindowsSysmon event_id=8 start_function IN ["LoadLibraryA", "LoadLibraryW"] -source_image="C:\Path\To\TrustedProgram.exe"

type: LogPoint

data_model: LogPoint native

title: DLL Injection with Mavinject

submission_date: 2020/11/30

information_domain: Host

platforms:

- Windows

subtypes:

- Process

analytic_types:

- TTP

contributors:

- Olaf Hartong

id: CAR-2020-11-003

description: |

Injecting a malicious DLL into a process is a common adversary TTP. Although the ways of doing this are numerous, mavinject.exe is a commonly used tool for doing so because it roles up many of the necessary steps into one, and is available within Windows. Attackers may rename the executable, so we also use the common argument "INJECTRUNNING" as a related signature here. Whitelisting certain applications may be necessary to reduce noise for this analytic.

coverage:

- technique: T1055

tactics:

- TA0004

- TA0005

subtechniques:

- T1055.001

coverage: Low

implementations:

- name: Pseudocode - mavinject process and its common argument

description: This is a pseudocode representation of the below splunk search.

code: |

processes = search Process:Create

mavinject_processes = filter processes where (

exe = "C:\\Windows\\SysWOW64\\mavinject.exe" OR Image="C:\\Windows\\System32\\mavinject.exe" OR command_line = "*/INJECTRUNNING*" ==》命令行

output mavinject_processes

description: DynamicWrapperX is an ActiveX component that can be used in a script

to call Windows API functions, but it requires the dynwrapx.dll to be installed

and registered. With that, registering or loading dynwrapx.dll to a host is highly

suspicious. In most instances when it is used maliciously, the best way to triage

is to review parallel processes and pivot on the process_guid. Review the registry

for any suspicious modifications meant to load dynwrapx.dll. Identify any suspicious

module loads of dynwrapx.dll. This detection will return and identify the processes

that invoke vbs/wscript/cscript.

search: '`sysmon` EventCode=7 (ImageLoaded = "*\\dynwrapx.dll" OR OriginalFileName

= "dynwrapx.dll" OR Product = "DynamicWrapperX") | stats count min(_time) as firstTime

max(_time) as lastTime by Image ImageLoaded OriginalFileName Product process_name

Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ==》检测加载的DLL名字

| `loading_of_dynwrapx_module_filter`'

how_to_implement: To successfully implement this search you need to be ingesting information

on processes that include the name of the process responsible for the changes from

your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem`

node. In addition, confirm the latest CIM App 4.20 or higher is installed and the

latest TA for the endpoint product.

description: |

Microsoft Windows allows for processes to remotely create threads within other processes of the same privilege level. This functionality is provided via the Windows API [CreateRemoteThread](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682437.aspx). Both Windows and third-party software use this ability for legitimate purposes. For example, the Windows process [csrss.exe](https://en.wikipedia.org/wiki/Client/Server_Runtime_Subsystem) creates threads in programs to send signals to registered callback routines. Both adversaries and host-based security software use this functionality to [inject DLLs](https://attack.mitre.org/techniques/T1055), but for very different purposes. An adversary is likely to inject into a program to [evade defenses](https://attack.mitre.org/tactics/TA0005) or [bypass User Account Control](https://attack.mitre.org/techniques/T1548/002), but a security program might do this to gain increased monitoring of API calls. One of the most common methods of [DLL Injection](https://attack.mitre.org/techniques/T1055) is through the Windows API [LoadLibrary](https://msdn.microsoft.com/en-us/library/windows/desktop/ms684175.aspx).

- Allocate memory in the target program with [VirtualAllocEx](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366890.aspx)

- Write the name of the DLL to inject into this program with [WriteProcessMemory](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674.aspx)

- Create a new thread and set its entry point to [LoadLibrary](https://msdn.microsoft.com/en-us/library/windows/desktop/ms684175.aspx) using the API [CreateRemoteThread](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682437.aspx).

This behavior can be detected by looking for thread creations across processes, and resolving the entry point to determine the function name. If the function is `LoadLibraryA` or `LoadLibraryW`, then the intent of the remote thread is clearly to inject a DLL. When this is the case, the source process must be examined so that it can be ignored when it is both expected and a trusted process.

coverage:

- technique: T1055

tactics:

- TA0005

subtechniques:

- T1055.001

coverage: Moderate

- technique: T1548

tactics:

- TA0004

subtechniques:

- T1548.002