Share this page!

Maybe Scrolly?
inversecos Profile picture
Twitter logo
Mar 9 13 tweets 5 min read
1\ How to detect what command line spawned a process with no EDR/AV? 👀 #DFIR

If you have a memory sample, this is how you can figure out what cmd spawned the processes by using volshell and memory forensics.

STEP BY STEP GUIDE BELOW

👇 👇 👇 👇 

#MemoryForensics
2\ Each process in Windows is represented by an "EPROCESS" structure.

These EPROCESS blocks are joined in a doubly linked list structure. The flink (forward link) tells you the next process running and blink (backwards link) tells you the previous process.
3\ When you see a list of processes on a live system, often times this is gathered by walking this doubly-linked structure of EPROCESS blocks.

Of course malware can unlink a process in this doubly linked list to hide from detection :P
4\ Now inside each of EPROCESS blocks is a pointer to a PEB (Process environment block). This is an object that stores information about a process like:

> What command started this process ;)
> The directory the process lives in
> handles, heaps etc

en.wikipedia.org/wiki/Process_E….
5\ Given this knowledge, this is how we'll figure out what spawned the process:

1. Examine the EPROCESS object for the process

2. Locate the PEB pointer

3. Locate “_RTL_USER_PROCESS_PARAMETERS” inside the PEB that stores the command line that the process was started with
6\ STEP 1: Enter volshell.

To enter into volshell type in this command into Volatility:

vol.py -f <filename> —profile=<profile> volshell
7\ STEP 2: Enter into the context of the process - in this instance I will use cmd.exe

Type in ps() to see the running processes and to get the:
> PID
> Offset

Type in cc(pid=X) to enter into the context of the process
8\ STEP 3: Examine the EPROCESS structure of the process

Type in dt(“_EPROCESS”, <offset>)

Scroll until you see the decimal address of the PEB and convert that into hex address :) I have it highlighted in white at the bottom.
9\ STEP 4: Examine the PEB of the process

Type dt(“_PEB”, <PEB address>)

This address is what you converted into hex from the step above. This reveals the structures within the PEB.

Locate the “ProcessParameters” structure and convert the decimal address into HEX again.
10\ STEP 5: Fetch the command that spawned the process

With the converted ProcessParameters hex address, type:
dt(“_RTL_USER_PROCESS_PARAMETERS”, <hexaddress>)

Voila, this will then show you the command line that spawned the process :)
11\ The plugins pstree/pslist/psxview/psscan show you what processes were running/terminated.

You can use the technique I showed you above to see how those processes were spawned and the command lines that were used. :)
12\ This is a link to volatility <3 <3
github.com/volatilityfoun…
13\ I never know if you guys prefer these as tweets or as a blog..

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with inversecos

inversecos Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @inversecos

inversecos Profile picture
Feb 17
1\ How to prove malicious macro was enabled & clicked? 👀 #DFIR

HKEY_LOCAL_MACHINE\USERDAT\Software\Microsoft\Office\<VERS>\<PROGRAM>\Security\Trusted Documents\TrustRecords

Look ONLY for values where last four bytes are "FF FF FF 7F".

These files had macros enabled

👇👇👇
2\ In light of the recent Emotet campaigns, make sure you check INetCache Outlook folder as it stores the attachments that were opened in Outlook.

If AV quarantines the file this wont exist.

C:\Users\<name>\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\<Folder>\
3\ Next check the macro settings for that user as this user had macros set to auto enabled (VBAWarnings=1)

NTUSERDAT\Software\Microsoft\Office\<vers>\<program>\Security

Disable all macros w/o notification : 2, 4
Disable all macros except signed macros: 3
Enable all macros: 1
Read 7 tweets
inversecos Profile picture
Jan 31
1\ #MalwareAnalysis: Detecting Process Hollowing
The first pattern to look for are any calls to create processes in a suspended state:

> CreateProcessA
"dwCreationFlags" set 0x04 CREATE_SUSPENDED

Purpose is to disguise malicious code in a legit exe by replacing the contents.
2\ Following the process being started in a suspended state... (usually svchost.exe but who's counting). Then there are API calls to native/non native APIs:

> ZwUnmapviewofsection
> virtualallocex
> writeprocessmemory
> setthreadcontext
> NTgetcontextthread
> ntreadvirtualmemory
3\ Other ones:
> NTResumethread
> NTwritevirtualmemory
> ntsetcontextthread

The logic is to look for signs of processes being started in suspended state - then the process being hollowed, replaced with "malicious" contents and resuming of execution.
Read 4 tweets
inversecos Profile picture
Oct 21, 2021
1\ #MobileForensics Tip: Did you know iOS, by default, tracks all locations that you visit to build a map of your life.

Artefacts:
> cache.sqlite
> cloud.sqlite
> local.sqlite

Tracked by IoS:
> When you arrived
> When you left
> Long/Lat

😝Photo is a parsed local.sqlite file
2\ In your iPhone the local.sqlite will render like this - as you can see I went to a grocery store 13 times. I was in lockdown don’t judge me.
3\ You can parse these using DB browser for sqlite - there are field names including longitude, latitude and also tracks when you arrived / left so it understands your dwell time. There are also fields pertaining to vehicle events i.e. you parked your car.
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @inversecos has new unrolls!

Check out other threads from @inversecos!

Read all threads by @inversecos

:(