search

ION28 / BLUESPAWN

An Active Defense and EDR software to empower Blue Teams
GNU General Public License v3.0
1.24k stars 170 forks source link

Hunt T1038 and T1073 (DLL Search Order Hijacking/Sideloading) #265

Closed ION28 closed 4 years ago

ION28 commented 4 years ago

https://attack.mitre.org/techniques/T1038/

and

https://attack.mitre.org/techniques/T1073/ (specifically see some of the APT group examples)

Also investigate: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs (note PowerSploit-PowerUp excludes these kinds of DLLs: https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1#L2369)

ION28 commented 4 years ago

https://twitter.com/SBousseaden/status/1242869201091604481?s=09

ION28 commented 4 years ago

https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/

https://twitter.com/r00t0v3rr1d3/status/1259942843709378571

ION28 commented 4 years ago

ExcludeFromKnownDlls: https://dannyda.com/2020/01/03/common-ways-to-maintaining-privilege-access-in-windows-backdoor-fileless-backdoor/

https://www.jaiminton.com/cheatsheet/DFIR/#t1038-dll-search-order-hijacking

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs"
gci -path C:\Windows\* -include *.dll | Get-AuthenticodeSignature | Where-Object Status -NE "Valid"
gci -path C:\Windows\System32\* -include *.dll | Get-AuthenticodeSignature | Where-Object Status -NE "Valid"
gps | FL ProcessName, @{l="Modules";e={$_.Modules|Out-String}}
gps | ? {$_.Modules -like '*{DLLNAME}*'} | FL ProcessName, @{l="Modules";e={$_.Modules|Out-String}}
$dll = gps | Where {$_.Modules -like '*{DLLNAME}*' } | Select Modules;$dll.Modules;