inversecos Profile picture
May 19 โ€ข 4 tweets โ€ข 2 min read
1\ #ThreatHunting: How to detect fileless Linux malware

Look for processes in /proc/<PID>/exe where the path shows "(deleted)"

Here are two examples๐Ÿ‘‡
1. BPFDoor deleted binary
2. An attacker abusing memfd_create() to exec their malware in RAM w/o dropping files to disk.
2\ To recover/extract these binaries running in memory - you can copying them out from this location:

/proc/<PID>/exe

Also as an FYI for memfd_create() abuse detection you can hunt for the "memfd: (deleted)" string directly.
3\ You can also review what command line spawned the pid by reviewing:

/proc/<PID>/cmdline

This screenshot shows the cmdline used for the memdf_create() reverse shell. There are a lot of other interesting things you can also review in /proc/PID
4\ Btw if you're interested in the memdf_create() technique if you're a redteamer/pentester check out this awesome presentation discussing this technique

2018.zeronights.ru/wp-content/uplโ€ฆ

โ€ข โ€ข โ€ข

Missing some Tweet in this thread? You can try to force a refresh
ใ€€

Keep Current with inversecos

inversecos Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @inversecos

Apr 28
1\ How to detect file timestomping ๐Ÿ‘€

APT28, APT29, APT32, APT38 have all used this defence evasion technique to modify malicious file creation times. ๐Ÿ˜ˆ

Did you also know it's possible to timestomp $FN time?

๐Ÿ‘‡๐Ÿ‘‡ BLOG & TL;DR BELOW ๐Ÿ‘‡๐Ÿ‘‡

bit.ly/3KsX1ua
2\ Most IR analysts are taught to detect timestomping using two methods:

> Compare $FI vs $SI times in the MFT
> Look for 0s in timestamp nanoseconds

These two detections are NOT foolproof - they will catch simple cases. Attackers can set nanoseconds and modify $FN time!
3\ Why should you care?

Most forensic courses teach these 2 detections without introducing more variables. A lot of analysts treat what they are taught as the "bible" without questioning it and when it comes to detecting these anomalies... critical evidence may be missed.
Read 6 tweets
Apr 6
1\ #DefenceEvasion Technique: Maliciously Modifying Registry Timestamps ๐Ÿ‘ฟ๐Ÿ‘€

This technique doesn't log events in the Security.evtx and is almost trivial to perform as a defence evasion technique...

Read my blog for technique + detection:
bit.ly/3r7jfuO

TL;DR ๐Ÿ‘‡๐Ÿ‘‡ ImageImageImage
2\ Why should you care?

During an IR, registry timestamps are important evidence items for timelining & triaging an incident. They answer questions like...

> What files did the TAs open?
> When was a security tool disabled?
> What folders were the TAs looking at?
> etc...
3\ The native API "NtSetInformationKey" specifically allows a TA to overwrite a registry "Last Write" timestamp in an extremely trivial manner.

The param KEY_SET_INFORMATION_CLASS being passed the value KEY_WRITE_TIME_INFORMATION is what performs this.

undocumented.ntinternals.net/UserMode/Undocโ€ฆ Image
Read 10 tweets
Mar 23
1\ Windows Event Log Evasion via Native APIs ๐Ÿ‘€๐Ÿง 

Some native Windows API calls can be used to install services WITHOUT generating correlating entries in the event log. This was seen in Stuxnet.

This blog covers the technique + detection.

bit.ly/3D7KI4n

TL;DR ๐Ÿ‘‡๐Ÿ‘‡
2\ High level of how the technique works.....

Services are normally created through standard API calls to โ€œCreateServiceAโ€ using sc.exe/at.exe. This API is what EDR usually detects on.

Note that using svcscan.. Stuxnet isnt showing any of the malicious services ...why is that?
3\ The "svcscan" plugin detects services using two methods:

1. Walk the VAD tree reviewing process memory for indicators of running services

2. Identify service records with the tags 'sErv' and 'serH' which finds any services unlinked from the doubly / linked list.
Read 10 tweets
Mar 9
1\ How to detect what command line spawned a process with no EDR/AV? ๐Ÿ‘€ #DFIR

If you have a memory sample, this is how you can figure out what cmd spawned the processes by using volshell and memory forensics.

STEP BY STEP GUIDE BELOW

๐Ÿ‘‡ย ๐Ÿ‘‡ย ๐Ÿ‘‡ย ๐Ÿ‘‡ย 

#MemoryForensics
2\ Each process in Windows is represented by an "EPROCESS" structure.

These EPROCESS blocks are joined in a doubly linked list structure. The flink (forward link) tells you the next process running and blink (backwards link) tells you the previous process.
3\ When you see a list of processes on a live system, often times this is gathered by walking this doubly-linked structure of EPROCESS blocks.

Of course malware can unlink a process in this doubly linked list to hide from detection :P
Read 13 tweets
Feb 17
1\ How to prove malicious macro was enabled & clicked? ๐Ÿ‘€ #DFIR

HKEY_LOCAL_MACHINE\USERDAT\Software\Microsoft\Office\<VERS>\<PROGRAM>\Security\Trusted Documents\TrustRecords

Look ONLY for values where last four bytes are "FF FF FF 7F".

These files had macros enabled

๐Ÿ‘‡๐Ÿ‘‡๐Ÿ‘‡
2\ In light of the recent Emotet campaigns, make sure you check INetCache Outlook folder as it stores the attachments that were opened in Outlook.

If AV quarantines the file this wont exist.

C:\Users\<name>\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\<Folder>\
3\ Next check the macro settings for that user as this user had macros set to auto enabled (VBAWarnings=1)

NTUSERDAT\Software\Microsoft\Office\<vers>\<program>\Security

Disable all macros w/o notification : 2, 4
Disable all macros except signed macros: 3
Enable all macros: 1
Read 7 tweets
Jan 31
1\ #MalwareAnalysis: Detecting Process Hollowing
The first pattern to look for are any calls to create processes in a suspended state:

> CreateProcessA
"dwCreationFlags" set 0x04 CREATE_SUSPENDED

Purpose is to disguise malicious code in a legit exe by replacing the contents.
2\ Following the process being started in a suspended state... (usually svchost.exe but who's counting). Then there are API calls to native/non native APIs:

> ZwUnmapviewofsection
> virtualallocex
> writeprocessmemory
> setthreadcontext
> NTgetcontextthread
> ntreadvirtualmemory
3\ Other ones:
> NTResumethread
> NTwritevirtualmemory
> ntsetcontextthread

The logic is to look for signs of processes being started in suspended state - then the process being hollowed, replaced with "malicious" contents and resuming of execution.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(