330 Hunting Malware

Threat Hunting
Professional
Hunting Malware
S e c t i o n 0 3 | M o d u l e 0 3
© Caendra Inc. 2020
All Rights Reserved
Table of Contents
MODULE 03 | HUNTING MALWARE
3.1 Introduction 3.4 Memory Analysis
3.2 Detection Tools 3.5 Malware Analysis
3.3 Detection Techniques
THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.2

Learning Objectives
By the end of this module, you should have a better

understanding of:
✓ Malware detection tools
✓ Malware detection techniques
✓ Memory hunting and analysis
✓ The importance of malware analysis

3.1
Introduction

3.1 Introduction
Malware is not going anywhere anytime soon. Malware

authors use various tools and techniques to remain
undetected for as long as possible.
We also need various tools and techniques to hunt for

them.

3.1 Introduction
We are hunting for malware in various locations:

• Hiding in plain sight
• Injected into other processes
• In files (macros, for example)
• In email attachments
• In memory (known as Fileless malware)
• Etc.

3.1 Introduction
The tools presented in this module do not represent an

exhaustive list by no means, but remember, you’re being
trained to hunt and to take a proactive approach.
This module will reveal that there are tools available to aid
you in your hunts.

3.2
Detection Tools

3.2 Detection Tools
In this section, we will look at various tools that will aid us

in hunting for malware in our networks.
Whether it’s a Meterpreter session or a DLL injection, we

should have a plethora of tools at our disposal when we’re
hunting for specific attack signatures.

3.2.1 Detection Tools – PE Capture
The NoVirusThanks’s PE Capture tool captures PE files,

executables, DLLs, and drivers loaded into the operating
system. Any loaded executable (PE, EXE, etc.) is displayed
within the GUI, and a copy is saved in the intercepted folder
for further analysis.
The copied file is named as the hash value of the file.

Additionally, the tool will log execution events to help you
easily find a specific PE file that was previously captured.
You can download the tool here.
http://www.novirusthanks.org/products/pe-capture/ THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.10
PE Capture is also available in a service-only version.

• This will allow you to install it on multiple PCs.
• It does not have a GUI.
• The program is free for personal use only. You can
read more about the tool, and/or download the tool
here.
http://www.novirusthanks.org/products/pe-capture-service/ THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.11

Viewing the screenshot

on the right, we can see
the suspicious DLL
loaded in memory. The
GUI shows us the path
of the DLL as well as the
hash.
We can now look into

the Intercepted folder,
or the Logs folder, to
see what information is
saved for us.
In the File menu, we can either choose Open “Intercepted” Folder

or Open “Logs” Folder.
You can now analyze the exported file to see if it is benign or

malicious.
Based on the indicators shown below, we can already

confirm that this is malicious.

Reviewing the logs is useful

to determine what was
loaded onto the system
earlier that day. You might
catch something that you
didn’t know was loaded
since the GUI is displaying
information in real time.
3.2.2 Detection Tools – ProcScan.rb
ProcScan, which is written in Ruby, can be used to scan

process memory looking for code injection. Unfortunately, it
only works for 32-bit systems? applications? and does not
support 64-bit systems/applications. You can download the
tool here.
To run the tool, type the following command: ruby ProcScan.rb
https://github.com/abhisek/RandomCode/tree/master/Malware/Process THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.16

Here is the
output of the
command if
it finds code
injection:

The tool is alerting us that there is possible code injection

within thread id 2516 of the rundll32 process.
Unfortunately, the tool doesn’t give us the PID within the

same output, but this can easily be obtained using
PowerShell.

Simply type get-process or ps (alias) to retrieve a list of the

processes running on the system.

You can also confirm the thread id of the process using

PowerShell.
You can use the following command:

ps | % {$_.Name ; $_.Threads} | % {“`t{0}” –f $_.ID}}

3.2.3 Detection Tools – Meterpreter Payload
Detection
The next tool is called Meterpreter Payload Detection. As

the name of the tool implies, it will scan? all the running
processes on the system to detect Meterpreter.
https://github.com/DamonMohammadbagher/Meterpreter_Payload_Detection THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.21

Detection
You run the tool by simply executing the binary from an

elevated command prompt.

Detection
Similar to PE Capture, it’s a live capture, so the tool will

continually run and alert you of a Meterpreter session in
memory, as long as that Meterpreter session is active.

Detection
Here is the output from the tool if it detects a running
Meterpreter session in memory.

Detection
NOTE: Don’t be confused by the Thread ID displayed in the

output. This process is not the same as the one shown in
the PE Capture snapshots.

3.2.4 Detection Tools – Reflective Injection Detection
This tool was created to detect reflective DLL injections

running in memory by looking for a PE header. The program
also dumps what it finds concerning the injected process,
as well as other unlinked executable pages to the root
folder.
https://github.com/papadp/reflective-injection-detection THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.26

You run the tool by simply running the binary from an

elevated command prompt.

You may recall from the output from Meterpreter Payload

Detection that the process with a running Meterpreter
session is PID 3808.
The Reflection Injection Detection tool successfully alerts

us about this rundll32 process.

If we navigate to the root folder of the

Tool, we will find everything the tool
dumped for us, so we can further
analyze the artifacts.
Each of the files are named as the PID.

This will allow us to easily correlate the
file with its process.
You may also notice how the files

dumped from process 3808 indicate
that ‘MZ’ was found by listing that
information within the name of the
dump.
3.2.5 Detection Tools – PowerShell Arsenal
“PowerShellArsenal is a PowerShell module used to aid a

reverse engineer. The module can be used to disassemble
managed and unmanaged code, perform .NET malware
analysis, analyze/scrape memory, parse file formats and
memory structures, obtain internal system information, etc.”
https://github.com/mattifestation/PowerShellArsenal THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.30

Remember that with the previous tool, Reflective Injection

Detection, the output gives us the base address and the
PID.
To link the output from that tool and the output from
PowerShell Arsenal, we will run Reflective Injection
Detection again and capture the output. Afterward, we will
run the cmdlet Find-ProcessPEs from PowerShell Arsenal.
Output from Reflective Injection Detection
The suspicious process is ID? PID? 3624 and we see 4 base

addresses displayed in the output. Now, let's run Find-
ProcessPEs and compare the output.
In this case, the syntax is: Find-ProcessPEs –ProcessID

3624

We see that Find-ProcessPEs also

gives us the same information as
far as the base address, but this
cmdlet also gives us a bit more.

Here we can see detailed output for

the next detected PE.





3.2.6 Detection Tools – Get-InjectedThread.ps1
This PowerShell tool can aid you on the hunt to detect code
injection. This tool will scan active threads on the system. It
will retrieve the starting address of certain functions, such
as NTQueryInformationThread, and if executable code is
found, it will flag it as injected.
You can download the script here.
https://msdn.microsoft.com/en-us/library/windows/desktop/ms684283(v=vs.85).aspx THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.38

https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2
3.2.6 Detection Tools – Get-InjectedThread.ps1
We will run this tool

against the same
suspicious process,
rundll32 (PID 3624).
We recommend you
conduct independent
research to fully
understand the
output from this tool.
3.3
Detection
Techniques

In this section, we will discuss various techniques to hunt

for malware within your network.
Malware authors will try various techniques to ensure that

their malware remains undetected. Most of the time,
however, the malware in the wild is reused from other
malware. This reused malware might be recompiled using a
different compiler or modified to remove/add different
functionality. In either case, there are techniques to aid us
in this hunt.
We will also look at:

• Fuzzy hashing and import hashing detection techniques
to hunt for malware that is reused and is part of an
already defined malware family.
• How to detect malware that was already executed on a

machine and to correlate various actions that took place
on the machine near the time of execution.
3.3.1 Detection Techniques – Fuzzy Hashing
Fuzzy Hashing is a technique where a program, such as

SSDeep, computes context triggered piecewise hashes
(CTPH). This technique:
• Can match inputs that have sequences of identical bytes
in the same order, although bytes in between the
sequences may be different in both content and length.
• Will divide the file into smaller pieces and examine those
smaller pieces rather than the file as a whole.
https://ssdeep-project.github.io/ssdeep/index.html THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.43
Virus Total uses SSDeep, which performs fuzzy hashing, against files that are
uploaded to the platform. The output from SSDeep is displayed when the
analysis of the uploaded file has completed.

You can read more about this technique in a paper released

by the Digital Forensic Research Workshop here. You can
also read about an example usage of SSDeep here.
SSDeep is available on GitHub, here.
http://dfrws.org/sites/default/files/session-files/paper-identifying_almost_identical_files_using_context_triggered_piecewise_hashing.pdf
https://dfir.science/2017/07/How-To-Fuzzy-Hashing-with-SSDEEP-(similarity-matching).html
https://github.com/ssdeep-project/ssdeep

3.3.2 Detection Techniques – Import Hashing
The “imphash” technique has been coined by Mandiant, and it is yet another
technique implemented by Virus Total. It’s part of the output report displayed
when a sample has been analyzed, similar to SSDeep.

“One unique way that Mandiant tracks specific threat groups'

backdoors is to track portable executable (PE) imports.
Imports are the functions that a piece of software (in this
case, the backdoor) calls from other files (typically various
DLLs that provide functionality to the Windows operating
system). To track these imports, Mandiant creates a hash
based on library/API names and their specific order within
the executable. We refer to this convention as an "imphash"
(for "import hash").”
http://blog.virustotal.com/2014/02/virustotal-imphash.html THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.47
“Because of the way a PE's import table is generated (and

therefore how its imphash is calculated), we can use the
imphash value to identify related malware samples. We can
also use it to search for new, similar samples that the same
threat group may have created and used.”
You can read more about this technique here and an open
source tool to generate PE Import Hashes here.
https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.48
https://github.com/Neo23x0/ImpHash-Generator
3.3.3 Detection Techniques – Execution Tracing
If you’re familiar with forensics, then you know about the

ShimCache. The Windows ShimCache was created to track
compatibility issues with executed programs and stores
various file metadata. You can read more about the
ShimCache here.
Five years ago, Mandiant released a tool called

ShimCacheParser to gather this metadata within Windows
machines to aid them in their investigations. The tool can
be downloaded here.
https://www.fireeye.com/blog/threat-research/2015/06/caching_out_the_val.html THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.49
https://github.com/mandiant/ShimCacheParser
This year, they released an updated tool called AppCompatProcessor, and it
contains some analytics to look at the execution trace artifacts obtained from
AppCompat / AmCache metadata.

You can read more about how this tool can be used to
detect Temporal Execution Correlation, Time Stacking, etc.,
here.
You can also download the tool from GitHub here.
https://www.fireeye.com/blog/threat-research/2017/04/appcompatprocessor.html THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.51

https://github.com/mbevilacqua/appcompatprocessor
3.4
Memory Analysis

3.4 Memory Analysis
Traditional file-system detection techniques are highly

unreliable when dealing with memory-resident malware, and
therefore it is necessary to perform Memory analysis to
detect malware, and also to understand what the purpose
and capabilities of the malware are.

3.4 Memory Analysis
Memory forensics can provide unprecedented visibility into

the run-time state of a system. It is possible to extract
which processes were running, open network connections,
and recently executed commands in a manner that is
independent of the system. This will reduce the chance of
sophisticated malware (rootkits for example) interfering
with the results by, for example, modifying them. Moreover,
it is likely that critical data exists in memory, such as
encryption keys and memory-resident injected code
fragments.
3.4 Memory Analysis
Malware often performs injection or system manipulation

directly in memory to avoid detection. Some of the
techniques often employed, which we'll discuss later are:
• Shellcode injection
• DLL and Reflective DLL injection
• Process hollowing
• API hooking
• Gargoyle
3.4 Memory Analysis
However, before an analyst can analyze the memory, it

needs to be acquired (also referred to as dumped, meaning
a 1:1 mapping of physical memory to a file, called a
memory image) first.
There are two approaches for acquiring memory from a

physical device:
• Hardware acquisition
• Software acquisition
3.4 Memory Analysis
Hardware acquisition has the advantage of being more

resilient against rootkit modification. It communicates
directly the memory controller with no communication to
the OS, which you may not be able to trust in the case of a
compromised system. Hardware acquisition requires a PCI
card to be installed to perform the acquisition.

3.4 Memory Analysis
Software acquisition is used to acquire the object at

\\Device \\PhysicalMemory (essentially the Windows
memory manager’s view of the system). A software tool
maps that object and reads its content, which requires
kernel mode access to read it. Among some of the
requirements for a stable tool are: OS support, memory
footprint, ability to capture reserved sections without
crashing the system, and output file support.

3.4 Memory Analysis
A drawback of using a software solution is that it will

always require process and kernel memory (for itself), as it
needs to execute and will therefore overwrite possible
evidence. Another drawback is that software solutions are
vulnerable to the previously mentioned rootkit modification
attacks.

3.4 Memory Analysis
Some of the non-commercial tools available are FTK

Imager, DumpIt, and MAGNET RAM Capture.
https://accessdata.com/product-download/ftk-imager-version-4-2-0
https://my.comae.com/
https://www.magnetforensics.com/resources/magnet-ram-capture/

3.4 Memory Analysis
Memory can always be acquired from virtual machines.

Some of the VM vendors provide the physical memory file
directly if the guest OS has been suspended, or in a
snapshot (such as VMware in a .vmem file). Sometimes,
additional user interaction is required to generate a memory
image, often performed in debugging mode (VirtualBox).
Furthermore, memory dumps can be created from a system
crash file, hibernation file, and more.

3.4 Memory Analysis
Before jumping into analysis mode, we need to outline what

it is that we flag as suspicious on a generic level.

3.4 Memory Analysis
When identifying anomalies in processes, we are interested in:

• Image name - Legitimate process? Spelled correctly?
• Full Path - Appropriate path for system executable? Running
from a user or a temp directory?
• Parent process - Is the parent process what you would
expect?
• Command line - Do the arguments make sense?
• Start time - Was the process started at boot?
• Security identifier - Do the security identifiers make sense?
Why would a system process use a user account SID?
3.4 Memory Analysis
When identifying anomalies in network activity, we are

interested in:
• Any process communicating over port 80, 443, or 8080
that is not a web browser
• Any browser not communicating over port 80, 443, or
8080
• Connections to unexplained internal or external IP
addresses
3.4 Memory Analysis
When identifying anomalies in network activity, we are

interested in (CONTINUED):
• Web requests directly to an IP addresses rather than a
domain name
• RDP connections (port 3389), especially if originating
from odd IP addresses (e.g. a static IP address assigned
to a printer)
• Why does this process have network capability?
• DNS requests for unusual domain names
3.4 Memory Analysis
Moreover, other anomalies are:

• Unlinked processes
• Loaded suspicious DLLs
• Unlinked network connections
• Unmapped memory pages with execute privileges (code
injection)
• Hooked API functions
• Known bad heuristics and signatures (e.g. YARA
signatures).
3.4 Memory Analysis
Memory analysis is performed through the use of tools

specifically designed for that purpose. Within this section,
we’ll look at these tools that will aid us in it:
• Mandiant’s (FireEye) Redline
• Volatility
• Get-InjectedThreat.ps1
• Memdump
https://www.fireeye.com/services/freeware/redline.html
https://github.com/volatilityfoundation/volatility
https://github.com/marcosd4h/memhunter

3.4.1 Memory Analysis - Redline
Redline is FireEye's free endpoint security tool that provides

host investigative capabilities to find signs of malicious
activity through memory and file analysis.
You can download Redline here.
https://www.fireeye.com/services/freeware/redline.html THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.68

With Redline, you can:

• Thoroughly audit and collect all running processes and
drivers from memory, file-system metadata, registry data,
event logs, network information, services, tasks and web
history.
• Perform Indicators of Compromise (IOC) analysis.
Supplied with a set of IOCs, the Redline Portable Agent is
automatically configured to gather the data required to
perform the IOC analysis and an IOC hit results review.
Redline is a GUI-based tool.
We can create portable agents

that can gather a live memory
capture of a computer system or
many systems. We can also
perform an IOC scan against the
memory file.
We can also load a memory

image and load saved Redline
sessions (MANs files).
This tool automates the anomaly detection process and

gives a quick overview of a particular machine’s memory to
detect rogue processes, injections, root kits, etc. using the
MRI Score Index. Although not always accurate, Redline can
still point you in the right direction with your analysis.
The next screen shot will show you the Redline interface
along with an explanation as to what MRI Scores are.
Processes View

Hierarchical Processes View

Processes > Handles

Processes > Memory Sections

Processes > Strings

Processes > Ports

Again, Redline is good to get a quick look at a machine’s

memory. This process is known as triaging. When you
triage, you’re getting a 30,000 foot view of what is going on.
If something is detected as malicious by Redline, then you

can take a closer examination with a more advanced tool,
such as Volatility.

3.4.1.1 Redline Video #1
Check out the video on Redline

– Create Standard Collector!
To ACCESS your video, go to

the course in your members
area and click the resources
drop-down in the appropriate
module line.
Note that all videos are only

available in Full or Elite
Editions of the course.
To upgrade, click LINK.

– Basic Usage!

module line.


– Create Analysis File!

module line.

Check out the video on Redline –

Detecting Code Injection!
To ACCESS your video, go to the

course in your members area
and click the resources drop-
down in the appropriate module
line.


3.4.2 Memory Analysis - Volatility
“The Volatility Framework is a completely open collection of

tools, implemented in Python under the GNU General Public
License, for the extraction of digital artifacts from volatile
memory (RAM) samples. The extraction techniques are
performed completely independent of the system being
investigated but offer visibility into the runtime state
of the system.” – Volatility on GitHub
https://github.com/volatilityfoundation/volatility THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.83

Volatility is not as user friendly as Redline, but is definitely

an excellent tool that is worth learning and getting
comfortable with. Volatility will be able to detect malicious
activity that Redline might miss.

Volatility is available for Windows, Linux, and Mac OS and is

written purely in Python. In order to perform an analysis in
Volatility, we need to specify three parameters:
• Memory dump file
• OS Profile
• Plugin (also called Module)

An Operating System profile is required because each

version of an Operating System has different definition and
implementation of memory objects, so this tells Volatility
how to treat the memory image in order to find data
structures in it.
By default, Volatility comes with all existing Windows

profiles from Windows XP to Windows 10.
The plugin is the payload of the command. It tells Volatility

what we are looking for in the memory image.
Currently, Volatility supports over 200 plugins by default,

and the analyst has the opportunity to extend Volatility’s
capabilities by developing custom plugins. Some of the
plugins are show on the next slide.


As mentioned, before starting the analysis, Volatility

requires the OS version to be specified as a command line
argument.
Often times, as an analyst, you would know that, but in the

cases you don't, a helpful plugin is "imageinfo", which
identifies (to its best capabilities) the OS version from the
memory dump itself as shown on the next slide.

When the plugin finishes executing, Volatility presents us

back with a list of potential OS profiles, sorted by the most
likely one.
In this example, the profile is "Win10x64_17134". Armed

with the profile, we can continue and begin the analysis.

One of the basic functions of Volatility is to list processes

running on the system with the plugin "pslist”. In order to
locate processes with "pslist", Volatility is locating the
doubly-linked list that keeps track of the processes in
memory, and displays them back to the user. This is the
equivalent of the processes list in task manager on a
running Windows system

Note that the output may include information on processes

that have already terminated, which includes their exit time.
This can be particularly useful in cases where a process,
such as cmd.exe, is used to start a malicious executable
and exits afterwards.
An example of this plugin is shown on the next slide.


Malware, specifically rootkits, often tries to hide its existence by

unlinking itself from this list (amongst other techniques), in
which case the process will not be shown in the output by pslist.
Fortunately, in memory, we can locate processes by other means,

such as searching through the memory dump and finding data
structures that match that of an "_EPROCESS", the representative
structure of a process in memory. By doing so, we can identify
even hidden processes. For this purpose, we have at our disposal
the plugin "psscan".
"Psscan" scans the entire memory dump and reports on any

identified objects that have the structure of an _EPROCESS.
In some cases, this plugin may return false positives, and

also processes that have finished execution some time ago
(in some occasions, even from a previous reboot).

Yet another, and even more powerful plugin that we may

utilize to identify hidden processes, is "psxview", which uses
multiple techniques for finding processes in memory. It
then reports the output in a single view by displaying
whether or not a certain process exists for each of the
detection techniques.
The next slide shows the output of "psxview“.

Note that “THP.exe” was

hidden from “pslist” among
others.

In the hunt for malicious processes, often times we attempt to

identify anomalies, such as whether a process has been started
by an expected Parent Process. For this purpose, we can utilize
"pstree" in Volatility, whose output is a dot-aligned listing as
shown on the next slide. With this view, we can identify obvious
anomalies, such as if the parent process of svchost.exe is not
services.exe. Another example would be if notepad.exe is
starting PowerShell.
Note that this plugin will not include hidden processes in its
output!
Output of “pstree”:

Volatility's "netscan" plugin traverses memory and identifies

all memory structures that represent a network connection.
Similar to "psscan", you may find false positives in its
output. However, it may also display connections which are
no longer active that are still preserved in memory.
The next thing that we'll look at is code injection. At this

point, we assume that the reader is familiar with the basic
structure of a Portable Executable (PE) file. If not, you can
refer to this link and read more about it.
https://resources.infosecinstitute.com/2-malware-researchers-handbook- THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.101
demystifying-pe-file/#gref
In general, executable code resides in the ".text" section of

a PE file, both when it’s located on disk and also when
loaded into memory. With a few exceptions, this is where
executable code should reside.
An Injected code will not show in the text section, as it will

be placed on the "heap" of a process. Let's look at the
concept of DLL Injection.
DLL Injection is the process of inserting code into a running

process. The code inserted is in the form of a Dynamic Link
Library (DLL), mainly because DLLs are meant to be loaded
as needed at run time. Although, this does not mean that
injection of other types of assembly is not possible, such as
executables or simply handwritten shellcode.

Injecting into SYSTEM process or process from another

context (eg. process of another user) requires certain
privileges (more specifically, SeDebugPrivilege, which is
required to debug and adjust the memory of another
process).
This is usually achieved through administrative rights on

the machine.
Although there are multiple varieties of code injection

techniques, the most generic one is a 4-step process where
the Win32 API is used to provide the necessary
functionality. The steps are:
1. Attach to the victim process
2. Allocate memory within the victim process
3. Copy the DLL or the DLL Path into the allocated memory
4. Instruct the process to Execute the DLL
Each of these steps is associated with one or more Win32

API function calls.
During step 3, the malware author has the option to either

inject the path of the DLL on disk and load then execute it,
or inject the DLL itself, if the allocated memory in the victim
process is large enough.

A drawback in the steps performed during the injection for

malware authors, is that the DLL that is being injected may
need to be located on disk and could potentially be caught
by Antivirus software. Through static analysis, it may be
possible to identify injection capability by just observing the
import headers of a PE file (if it is not obfuscated in some
way). Unlike a Simple DLL Injection, the power of Reflective
DLL Injection comes in that it is able to inject to and
execute directly from memory.
Reflective Injection is a special technique of code injection,

where code is injected and loaded from memory, directly in
the process itself. This type of injection is often used to
further expand the capabilities of a functionality limited
stager, by delivering additional modules only when needed.
The library loading itself is not registered in any way with
the host system, and as a result, it is largely undetectable at
both a system and process level.

Techniques of detecting code injections have been around

for a while.
One of the most famous is scanning through private

memory regions (the heap of a process) and identifying
those that have the executable bit set (RWE or RX), and/or
have no memory mapped file present on disk (unmapped
binary file).
An unmapped process binary is an indication of process

hollowing.
A detailed explanation and research on process hollowing

is available here.
https://cysinfo.com/detecting-deceptive-hollowing-techniques/ THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.110

The detective techniques mentioned so far are employed by

Volatility’s malfind plugin for detecting code injection.
Among other details, in malfind's output we can see:

• Process name and PID where injection was detected
• Offset address of where the injection was detected
• Hex, ASCII, and Disassembly view of the injected area

Injected areas that begin with the "MZ" file header are
especially interesting to us – denoting a Windows
executable file (which is the case on the picture on the next
slide). Of course, the injected area may contain
shellcode, which lacks the “MZ” header, and which requires
that the analyst further investigate to understand its
behavior and purpose.
Note: malfind's output may contain false positives.

Partial output of “malfind” – “MZ” header detected.

The following resource contains additional descriptions of

other injection techniques and their respective detection.
https://www.endgame.com/blog/technical-blog/ten-process-injection- THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.114

techniques-technical-survey-common-and-trending-process
Volatility has a plugin "yarascan" which allows you to

search for strings, patterns, and also compound rules. As
stated on its wiki page, this plugin can help you locate any
sequence of bytes (like assembly instructions with wild
cards), regular expressions, ANSI strings, or Unicode strings
in user mode or kernel memory.
You can also use a YARA rules file as an argument instead

of specifying the rule(s) on the command line.
https://github.com/volatilityfoundation/volatility/wiki/Command-Reference- THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.115
Mal#yarascan
In some instances, you may be hunting for very

sophisticated pieces of malware (rootkits) where you have
to dig into system objects such as drivers, mutexes, and
hooked functions.

The following plugins are extremely helpful in this area:

• idt • modscan
• ssdt • driverirp
• apihooks • driverscan
• modules
An example and walkthrough of rootkit detection is

available here.
https://eforensicsmag.com/finding-advanced-malware-using-volatility/ THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.117

If any of the hunting activities identified a threat, Volatility

provides a wide range of modules that will help you extract
or rather, carve out of the memory dump all of the
malicious object(s) (process, driver, ...) for further analysis.

Further details on how to use Volatility are available on its

Wiki page, here.
Lastly, if you want to play with some memory samples and

perfect your Volatility knowledge, you can download them
from here.
https://github.com/volatilityfoundation/volatility/wiki/Volatility-Usage THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.119

https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples
3.4.2.1 Hera Lab
Put what you’ve learned to
practice with the Hunting in
Memory lab!
To ACCESS your lab, go to the

and click the labs drop-down in
the appropriate module line,
then click the manual icon.
All labs are only available

in Full or Elite Editions of
the course. To upgrade, *NOTE: some courses contain several labs and manuals, please make sure to click the file icon as it may
click LINK. be a zip that contains multiple lab manuals.

3.4.3 Live System Memory Hunting
Unfortunately, getting a memory dump (from all your

systems) and performing analysis on it is rather
impractical. It is too time consuming, and therefore the
hunts are performed on a subset of hosts only.
Another obstacle is the memory size – on average, the size

is 16GB from workstations and commonly 64 GB (or more)
on servers.
3.4.3 Live System Memory Hunting
Recently, some tools have emerged that attempt to scale

memory hunting, primarily focusing on detecting injected
code on the live machine without the need of obtaining
memory dumps. The tools we’ll look into are:
• GetInjectedThread.ps1
• Memhunter
• Captain
https://github.com/y3n11/Captain

3.4.3.1 Live System Memory Hunting - Get-
InjectedThread
Get-InjectedThread is defined by the author as a tool that

can detect:
• Classic Injection
• Reflective DLL Injection
• Memory Module (similar technique to RDI)
The original presentation of the tool is available here.
https://www.sans.org/cyber-security-summit/archives/file/summit-archive- THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.123

1492714038.pdf
3.4.3.1 Live System Memory Hunting - Get-
InjectedThread
Running the script on

a compromised host
returns confirmation
of the injection and
additional information
about the process and
thread detected.

3.4.3.2 Live System Memory Hunting - Memhunter
Memhunter is a standalone binary that, upon execution,

deploys itself as a Windows service.
Once installed, it feeds data to memory inspection scanners

that use detection heuristics to locate potential attacks.

3.4.3.2 Live System Memory Hunting - Memhunter
A working PoC video of the tool is available here.

https://www.youtube.com/watch?v=t_fR1sCENkc THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.126
3.4.3.3 Live System Memory Hunting - Captain
Captain is an endpoint monitoring tool that is designed to

spot malicious events through API hooking.
Captain, among others, is cable of detecting :

• Code Injection
• Memory dump creation (e.g. dump of LSASS)
• Fileless malware
• Execution of Office macros
3.4.3.3 Live System Memory Hunting - Captain
Captain requires its 4 components to operate:

• Monitor.ps1 – Monitors for process creations and
injects Captain.dll in new processes
• Injector.exe – Used for the injection of Captain.dll
• Captain.dll – Hooks Windows API functions and outputs
events
• Behan.py – analyzes the events captured by Captain.dll
(based on provided signatures for alerting)
3.4.4 Hera Lab
Put what you’ve learned to practice

with the Hunting for Process
Injection & Proactive API Monitoring
lab!

course in your members area and
click the labs drop-down in the
appropriate module line, then click
the manual icon.

the course. To upgrade,
click LINK. *NOTE: some courses contain several labs and manuals, please make sure to click the file icon as it may
be a zip that contains multiple lab manuals.

3.4.5 Hera Lab
practice with the Advanced
Endpoint Hunting lab!



3.5
Malware Analysis

3.5 Malware Analysis
Even though malware analysis is beyond the scope of this

course, it’s still worth a mention.
Malware analysis is needed when a binary needs to be

analyzed further. We know that malware, whether it’s
packed, encrypted, etc., is in clear-text in memory, but in
order to further understand the malware, analysis is
needed.
3.5 Malware Analysis
If your security team doesn’t have a dedicated malware

analyst, then as a threat hunter, this is a skill to have. Even
if it’s basic malware analysis skills, it will be helpful.
A threat hunter is similar to a spec ops operator. No matter

what he/she encounters, he/she is trained and has the skill
to complete the task. Whether it is inspecting network
traffic, hunting for malicious files in various operating
systems, performing incident response, memory analysis,
etc., they are ready.
3.5.1 Hera Lab
Malware Part 1 lab!



3.5.2 Hera Lab
Malware Part 2 lab!



3.5.3 Hera Lab
practice with the Hunting Empire
lab!



Conclusion
This concludes this module on Hunting Malware.
We have covered:
✓ Various detection tools
✓ Various detection techniques
✓ Memory analysis tools
✓ The importance of malware analysis

References

References
PE Capture v1.2
http://www.novirusthanks.org/products/pe-capture/
PE Capture Service v1.2

http://www.novirusthanks.org/products/pe-capture-service/
RandomCode
https://github.com/abhisek/RandomCode/tree/master/Malware/Process
Meterpreter_Payload_Detection
https://github.com/DamonMohammadbagher/Meterpreter_Payload_Detection

References
reflective-injection-detection
https://github.com/papadp/reflective-injection-detection
PowerShellArsenal
https://github.com/mattifestation/PowerShellArsenal
NtQueryInformationThread function
https://msdn.microsoft.com/en-us/library/windows/desktop/ms684283(v=vs.85).aspx
Get-InjectedThread.ps1

References
ssdeep - Fuzzy hashing program
https://ssdeep-project.github.io/ssdeep/index.html
Identifying Almost Identical Files Using Context Triggered Piecewise Hashing

http://dfrws.org/sites/default/files/session-files/paper-
identifying_almost_identical_files_using_context_triggered_piecewise_hashing.pdf
[How To] Fuzzy Hashing with SSDEEP (similarity matching)

https://dfir.science/2017/07/How-To-Fuzzy-Hashing-with-SSDEEP-(similarity-matching).html
ssdeep
https://github.com/ssdeep-project/ssdeep

References
VirusTotal += imphash
http://blog.virustotal.com/2014/02/virustotal-imphash.html
Tracking Malware with Import Hashing

https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-
hashing.html
ImpHash-Generator
https://github.com/Neo23x0/ImpHash-Generator
Caching Out: The Value of Shimcache for Investigators

https://www.fireeye.com/blog/threat-research/2015/06/caching_out_the_val.html

References
ShimCacheParser
https://github.com/mandiant/ShimCacheParser
Evolving Analytics for Execution Trace Data

https://www.fireeye.com/blog/threat-research/2017/04/appcompatprocessor.html
appcompatprocessor
https://github.com/mbevilacqua/appcompatprocessor
Reflective DLL Injection Detection through Memhunter

https://www.youtube.com/watch?v=t_fR1sCENkc

References
Hunting In Memory
https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492714038.pdf
FTK Imager
https://accessdata.com/product-download/ftk-imager-version-4-2-0
Comae Stardust
https://my.comae.com/
MAGNET RAM Capture

https://www.magnetforensics.com/resources/magnet-ram-capture/

References
Redline
https://www.fireeye.com/services/freeware/redline.html
volatility
https://github.com/volatilityfoundation/volatility
Captain
https://github.com/y3n11/Captain
memhunter

References
Volatility – Memory Samples
https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples
Volatility Usage
https://github.com/volatilityfoundation/volatility/wiki/Volatility-Usage
Malware Researcher’s Handbook (Demystifying PE File)

https://resources.infosecinstitute.com/2-malware-researchers-handbook-demystifying-pe-
file/#gref
DETECTING DECEPTIVE PROCESS HOLLOWING TECHNIQUES

USING HOLLOWFIND VOLATILITY PLUGIN
https://cysinfo.com/detecting-deceptive-hollowing-techniques/
References
Ten process injection techniques: A technical survey of common
and trending process injection techniques
https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-
survey-common-and-trending-process
yarascan
https://github.com/volatilityfoundation/volatility/wiki/Command-Reference-Mal#yarascan
Finding Advanced Malware Using Volatility

https://eforensicsmag.com/finding-advanced-malware-using-volatility/

Videos
Here’s a list of all videos in this module. To ACCESS your video, go to the
course in your members area and click the resources drop-down in the
appropriate module line.
Note that all videos are only available in Full or Elite Editions of the course.
Redline – Created Standard Collector
Redline – Basic Usage
Redline – Create Analysis File
Redline – Detecting Code Injection

Labs
Hunting in Memory
Lab 7.1: The organization you work for is asking you to perform memory threat hunting on a
randomly selected machine. As a hunting exercise to keep you sharp, the IT Security manager
tasked you specifically with looking for anomalous connections and memory injections.
Lab 7.2: The organization you work for is also asking you to perform memory threat hunting
on a Linux machine. As a hunting exercise to keep you sharp, the IT Security manager tasked
you specifically with looking for the existence of Linux rootkits.
Hunting for Process Injection & Proactive API Monitoring

Attackers love hiding/injecting malicious code into processes. In this lab, you will learn how
to hunt for various process injection techniques and how to leverage userland API monitoring
for more effective hunts.
*Labs are only available in Full or Elite Editions of the course. To ACCESS your labs, go to the course
in your members area and click the labs drop-down in the appropriate module line. To UPGRADE to
gain access, click LINK.
Labs
Advanced Endpoint Hunting
Inside THP you will find two (2) distinct labs on advanced hacking techniques hunting at the
endpoint level. Specifically, you will learn how to hunt for process doppelganging, AMSI
bypasses, parent PID spoofing, reflective DLL injection, module stomping etc.
Hunting Malware Part 1

Your manager, Tony, wants you to keep an eye on the machine for the administrative
assistant to the CFO. Email logs show that there has been a spike in spam emails attempting
to reach her email address. Even though she has completed the security awareness class,
Tony doesn’t want to take any chances. Tony hands you a Mandiant Analysis File to load into
Redline and see if there is anything suspicious that is running, or was running, on her
machine. After analysis, Tony, requires you to get a recent Mandiant Analysis File to analyze.
Labs
Hunting Malware Part 2
Your manager, Tony, received 2 memory files from another facility within the ISAC. These 2
memory files were from actual incidents that took place within their facility a few years ago.
Tony wants you to analyze them to see if you are able to analyze them for any signs of code
injection and/or a rootkit to prepare you to detect APT attacks.
Hunting Empire
Your manager, Tony, wants to make sure that you can detect the widely used attacking tool,
Empire. A hunting exercise has been scheduled, where you are tasked with detecting
Empire’s presence on an endpoint.

330 Hunting Malware

Uploaded by

Copyright:

Available Formats

330 Hunting Malware

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

330 Hunting Malware

Uploaded by

Copyright:

Available Formats

Threat Hunting

MODULE 03 | HUNTING MALWARE

3.1 Introduction 3.4 Memory Analysis

3.2 Detection Tools 3.5 Malware Analysis

3.3 Detection Techniques

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.2

By the end of this module, you should have a better

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.3

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.4

Malware is not going anywhere anytime soon. Malware

We also need various tools and techniques to hunt for

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.5

We are hunting for malware in various locations:

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.6

The tools presented in this module do not represent an

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.7

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.8

In this section, we will look at various tools that will aid us

Whether it’s a Meterpreter session or a DLL injection, we

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.9

The NoVirusThanks’s PE Capture tool captures PE files,

The copied file is named as the hash value of the file.

PE Capture is also available in a service-only version.

http://www.novirusthanks.org/products/pe-capture-service/ THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.11

Viewing the screenshot

We can now look into

In the File menu, we can either choose Open “Intercepted” Folder

You can now analyze the exported file to see if it is benign or

Based on the indicators shown below, we can already

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.14

Reviewing the logs is useful

ProcScan, which is written in Ruby, can be used to scan

To run the tool, type the following command: ruby ProcScan.rb

https://github.com/abhisek/RandomCode/tree/master/Malware/Process THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.16

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.17

The tool is alerting us that there is possible code injection

Unfortunately, the tool doesn’t give us the PID within the

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.18

Simply type get-process or ps (alias) to retrieve a list of the

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.19

You can also confirm the thread id of the process using

You can use the following command:

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.20

The next tool is called Meterpreter Payload Detection. As

You can download the tool here.

https://github.com/DamonMohammadbagher/Meterpreter_Payload_Detection THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.21

You run the tool by simply executing the binary from an

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.22

Similar to PE Capture, it’s a live capture, so the tool will

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.23

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.24

NOTE: Don’t be confused by the Thread ID displayed in the

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.25

This tool was created to detect reflective DLL injections

You can download the tool here.

https://github.com/papadp/reflective-injection-detection THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.26

You run the tool by simply running the binary from an

THPv2: Section 03, Module 03 - Caendra Inc. © 2020 | p.27

You may recall from the output from Meterpreter Payload