What makes a process seem suspicious?
The process of analyzing hardware and software structure reveals more of its functions. It gives the ability to learn more patterns. An attacker who writes malware often obfuscates code.
Methods used for obfuscation & reverse engineering:
Disassembler: A computer program that translates machine language to assembly language.
Machine code: Binary code executed by the processor
File Signature: The first two bytes of a binary header. File types e.g.: EXE, DLL, SYS, COM, etc.
Assembly code: Native processor instructions used to implement the program.
Decompiler: Software that translates a binary or low-level code to high-level code.
High-level code: Real or Psuedo code in a human-readable form that makes it easier to identify functions, variables, etc. Reverse engineers attempt to identify strings or signatures for rule-based detection.
Strings: encoded characters that appear within the exe file. If malware contains a string with a function called InternalOpenURL and another string that is a URL, It might be downloading data from some web address.
Program Packer: Compression method in which an executable is compressed chiefly, and the part that does not contain code to decompress the executable. The packed program is a type of self-extracting archive.
Just because the program is packed does not mean it is malicious.The packed malware can mask string literals and modify its signature to avoid triggering sig-based scanners until it is unpacked.
What makes a process look suspicious?
The process does not recognize that the process name is similar to a legitimate system.
Processes appear without an icon, version, description, etc.
Processes that some random company signs.
A process whose digital signature does not match identified publisher
Any process that does not establish a parent/child relationship
Process hosted by explorer, notepad, task, manager, etc
What to do when you find a process?
Check and identify how the process interacts with the registry and file system.
How is the process launched?
Is the image file located in a temp folder or system folder?
What files are being manipulated by the process. ?
Does the process restore itself upon reboot or deletion?
Does a system process get blocked after deletion?
Is the process interacting with the network, and if yes, then how?
Is there any system privilege or escalation happening?
Malware Exploitation
Exploit Technique: Methods malware code infects a target host. Malware tries to avoid detection by signature-based security software.
How adversaries use modern malware:
Dropper or downloader
Maintain access
Strengthen Access
Actions on objectives
Concealment
Dropper: Malware installs or runs other types of malware embedded in a payload on an infected host.
Downloader: malware that connects with the internet to retrieve additional tools after initial infection by a dropper.
Shellcode: Lightweight code designed to run an exploit on the target may include any code format from scripting languages to binary codes. Shellcode refers to malware code that would get an attacker a shell (command prompt) on a target system.
Code Injection: Technique that runs mal code with identification number of a legitimate process. Droppers implement anti-forensics techniques to prevent detection and analysis.
Masquerading
DLL injection
DLL side-loading
Process hollowing
Living Off the Land: Using standard tools and packages for intrusions. Detection of the adversary is more difficult when executing malware within common tools & processes.
Behavioral Analysis
Behavioral analyses are used to identify injections through monitoring.
SysInternals: Tools used to assist in troubleshooting issues with Windows and suited for investigating. Process Explorer can filter out legitimate activity in signs of abnormal behavior.
System Idle (PID 0) and System (PID 4): A kernel-level binary that is the parent of the first user mode (Session Manager SubSession - smss.exe)
WININIT (wininit.exe): Manages drivers & services and should only have a single instance running a process.
Services.exe: Host non- boot drivers and background services. This process should have a single instance of services.exe running as a child of wininit.exe, other service processes showing a child of services.exe or svchost.exe.
Local Security Authority Subsystem (Lsass.exe): Handles authentication & authorization services of the system. Should have a single instance running as a child of wininit.exe
WINLOGON (winlogon.exe): Manages access to user desktop and should have only one instance for each user with Desktop windows manager (dwm.exe) as a child process in modern versions of Windows.
USERINIT (userinit.exe): Sets up a shell and then quits. You should quit this process after log-on.
EXPLORER (explorer.exe): Typical user shell launched with user’s account privileges rather than systems. It will likely be the parent of all processes started by log-on users.
Remediation:
EDR configuration
Virustotal: Signature-based detections (more than 60 antivirus scanners)
(MAEC) Malware Attribution enumeration & characterization: Standardized language for sharing info about malware complementary to STIX and TAXII to improve threat intel.
YARA: Yara rulesets for matching string combinations with the given data source.
Allow listing & Blocklisting
Allow listing: Allow knows apps, services, and traffic to and from systems. The security configs where access is denied unless the entity is allowed list. It can be an effective fallback posture. It is incredibly restrictive.
Blocklisting: Block knows apps, services, and traffic to and from systems. It has a risk that False Positive could block legitimate traffic. Access is permitted unless the entity appears on a blocklist for config.
Execution Control on Windows & Linux
Windows: Software restriction policies, App locker, Windows defender (WDAC)
Linux: Mandatory access control (MAC), Linux Security Module (LSM) Two well know LSMs are SElinux, AppArmor