Hunting Code Injection

 

Today we are going to explore how we can see the NEW_REMOTE_THREAD event on Windows using LimaCharlie. This event gets emitted every time a process creates a remote thread in another process.

Those familiar with Windows malware will recognize this as a basic element of many code injection methods, such as Reflective DLL Injection.

This event will provide the originating and target process id as well as atoms (our globally unique identification and relationship id) and thread id.

Begin looking at these events by doing a simple detect and report. Once the detection is reported we do the following:

  1. Get the detailed history of the last few minutes (file writes, network, etc).

  2. Get the memory map of the source and target process where we may be able to get a confirmation that we can see some injected code as Read+Write+Execute memory.

  3. List the strings in memory of the source and destination process. If there was anything obfuscated like domains, files, Command and Control servers, we may be able to get them from memory right away.

And that is hunting code injection with LimaCharlie. Documentation along with the detection and response rules can be found below. Please do not hesitate to contact us if you have any questions.

Happy hunting!

bloggraphic.png

Rules documentation: http://doc.limacharlie.io/en/master/dr/

Commands documentation: http://doc.limacharlie.io/en/master/sensor_commands/

The Detection Rule:

op: is windows
event: NEW_REMOTE_THREAD

The Response Rule:

- action: report
name: remote_thread
- action: task
command: history_dump
- action: task
command:
- mem_map
- --processatom
- <<routing/parent>>
- action: task
command:
- mem_map
- --processatom
- <<event/TARGET_ATOM>>
- action: task
command:
- mem_strings
- --processatom
- <<routing/parent>>
- action: task
command:
- mem_strings
- --processatom
- <<event/TARGET_ATOM>>

 

Christopher Luft

My name is Christopher Luft and I am an artist turned computer scientist turned something else.