Month: November 2017

Finding Reflective DLL Injections

DLL injections that originate from a malicious DLL written to a disk are commonly detected by any decent AV product. Detecting reflective DLL injection, however, are not as straightforward. Malware injected directly into a process using reflective DLL injection typically will not exist on disk. A co-worker of mine developed a tool called Evil Injection Finder (EIF), which is designed to help you find those evil injections! Administrative rights are currently necessary to adequately examine the memory of running processes. Some memory pages will be unreadable if marked as protected processes by the OS, such as LSASS.

The example below demonstrates using EIF with a signature file to find injects in all processes on the system. A meterpreter has been loaded into MicrosoftEdge using reflective injection.

I wanted to run EIF on remote systems but it didn’t have that capability so I developed EIF_Parser, which provides the following capabilities:

  • Executes Evil Inject Finder (EIF) on a remote system or systems
  • Retrieves the data gathered by EIF on remote systems
  • On the local system, presents only the processes with ‘yes’ in the MZ or DOS column
  • Logs systems not accessible, for one reason or another

The tools can be found at the below links:

Hunting Self-signed Certificates

Self-signed certificates could be indicative of malicious behavior on a system and being able to identify them is a key task in responding to an incident. Having self-signed certificates in an environment isn’t always a bad thing but not being able to identify them and their purpose is! Nonetheless, taking to PowerShell we can search for them and there is a Certificate PSDrive that will assist with our process. A key indication of self-signed certificates is the issuer and subject being the same. It is also worth noting that a CA may issue a certificate to itself to support key rollover or changes in certificate policies.

This and more PowerShell scripts can be found on my GitHub.

Hashes of All Running Processes

A great starting point for anyone analyzing a system is the running processes. Taking the time to not only retrieve the command line execution of the process but also the parent process will enable you to find outliers. Taking it a step further, retrieving the hashes of the binary of each process expand your aperture substantially. Especially when you are able to group and stack those hashes against those from other machines. With that in mind, I’ve written a simple little script that will get the hashes of all running processes.

Link to code: