Most of the time threat hunting is initiated by looking at the network logs or IDS IPS logs. But relying only on network logs may be enough as malwares use covert channels for communications or IDS/IPS devices might not have signatures to catch malicious traffic. So threat hunting on endpoints is equally important. Usually threat hunters look at ETW logs on endpoints or files detected as malwares in the endpoint. It’s also important to identify malicious processes or malicious code injected into legitimate processes which can be identified by scanning processes. Process Scanning can also identify File Less malwares, processes spawned from packed malwares. Here is our “Process Hunting Toolkit”, that can help threat hunters, Incident Responders to inspect processes and hunt down malicious processes, code injections, FileLess malware on Windows. The toolkit relies on anomalies in processes, memory scanning and finding code injections in endpoints.
You can download the binaries for the tool from the following link: https://github.com/intelliroot-tech/ProcessHuntingToolkit. (Please download the all binaries in the repo)
The zip contains executables with following functionalities:
Below are the details of the working principle of these executables.
Memory scanning is a technique with which virtual memory of processes are scanned for malicious patterns. Memory scanning can be used to detect Fileless malwares and can also detect packed malwares when they are executed. The advantage of memory scanning is it can detect malwares with accurate nomenclature and is thus helpful to attribute malwares to Threat Actors. We have talked about memory scanning in one of our old articles here: https://www.intelliroot.com/resource-library/tools/yaraedr.
Here are some advantages of memory scanner over file based malware scanner used by Antiviruses and other EDR products:
Almost every antivirus and EDR there has a memory scanner but at the same time memory scanning is a costly algorithm and it impacts the system’s performance. Hence most often memory scanning is disabled or triggered on very specific conditions on the endpoint products. Recently some endpoint products have developed a more efficient memory scanner with assistance features like the Intel TDT( Threat Detection Technology). But again this may limit the memory scanning capability to systems having specific CPU and specific versions of the CPU.
After analyzing a lot of malware, looking into their memory attributes and taking into consideration the attributes of virtual memory on Windows Operating system, we developed a lightweight memory scanner. The ProcMemScan_Beta.exe is the binary that is capable of scanning memory. The scanner now uses yara library for matching patterns but it can be replaced with other pattern matching algorithms as well. ProMemScan requires two files to work: “whitelist_process.txt” and “sign.dat”. You can list the processes binaries which you do not want to be scanned in whitelist_process.txt. “Scan.dat” contains memory signatures to detect malwares. The rules are written in order to achieve better performance. As of now sign.dat has the rules for the following malwares and can detect only these malwares:
We would be providing more updates on signatures. If you want rules for special purposes please reach out to us. We can provide rules and customization of detect APT malwares.
To test the scanner, you need to paste this string “ScannerTestX5O-TEST-Mem” into the notepad and then execute ProcMemScan_Beta.exe in administrator mode. Notepad should be detected as “mal_scanner_test” as shown in the image below and a log file named MemScanLogs.txt file would be created in the logs folder containing the detection.
Fig: testing memory scanner
In order to scan the processes in the entire system, ProcMemScan_Beta.exe needs to be executed in Administrator mode. After scanning, you would see the processes. detected in the command line. Also you would see logs created in the logs folder in file MemScanLogs.txt
The scanner can be configured to scan the system periodically by putting it into scheduled tasks but it should run in administrator mode. In future versions we push the logs in SIEM.
Windows System Processes like svchost.exe, services.exe have some basic attributes like parent PID, process executable path, number of instances of the processes. If any processes violate these basic attributes then it is treated as suspicious. Here’s some of the basic attributes which we can use to identify suspicious processes on a Windows system:
The binary ProcMemScanner_Beta.exe can be used for scanning the above anomalies. Right now it’s limited to a few processes but we are going to expand the algorithms to other processes soon. The below screenshot shows a binary executing from appdata folder.
Fig: procAnomalyScanner_Beta.exe
A lot of malwares inject malicious code into clean system processes and execute the malicious code from inside the malicious processes in order to bypass detections. Our tool Injected_Code_Hunter_x64.exe/Injected_Code_Hunter_x86.exe can scan the system for injected code. We have already blogged about this earlier. https://intelliroot.com/resource-library/tools/injectedcodehunter. Below is a screenshot of the tool.
Fig: Injected_Code_Hunter_x86.exe/Injected_Code_Hunter_x64.exe
The toolkit can be used for malware analysis, sandbox automation,Threat hunting and Incident Response.Note the toolkit is not meant to replace antiviruses and EDR’s but would be certainly helpful in some cases where detections are missed. The tool can only detect malware and does not have the ability to block it. The tools are still in beta version so please let us know if you find any bugs. If you want a custom version of the tool, signatures for our memory scanner, please reach out to us.
Intelliroot’s products, services and tools help to secure organizations against Cyber Attacks. We offer VAPT, Incident Response, Threat Hunting and Malware Analysis Services. To know more about us visit our main web page.**
