T1093 Defense Evasion — Process Hollowing
Remote Access Trojans, one of the swiss army knife tools used by attackers, have seen an increase in usage in 2019 and continue to gain popularity in 2020. Mainly used to read passwords from target systems, security companies have been catching up to the latest defense evasion techniques used by such tools. A common but very efficient technique attackers have been using to bypass defenses in the wild is process hollowing.
Process hollowing is an advanced and evasive technique that allows the attackers to bypass application white listing and to hide the presence of the process. This is done by first creating a legit non-malicious process in a suspended state, the legitimate image is then unmapped and replaced with an image containing a malicious payload that is to be executed.
Code Review
As we can see below, the malicious application first creates a new-clean process in a suspended state. Then the memory content of the process is unmapped. Afterwards, memory allocation takes place to make sure the new image that is to be mapped fits. Newly mapped content can be malicious shellcode found dormant in the initial executable.
Once the process hollowing executable has been run it will map another executable’s content in memory. In this case the memory contains a reverse shell to the attacker’s machine.
Analysis and Recommendation
Using easily accessible tools on the infected windows system we can inspect the malicious process. We can see that a legit svchost.exe process has an established connection to the C2 server with the IP address of 192.168.1.29 on port 4444. This is uncommon because the svchost.exe process is connected to an IP address on the port 4444.
Process hollowing is a traditional technique used by advanced adversaries. We will be using Carbon Black Response to take a closer look at the executable’s flow; what DLLs its loading, which child-processes are being spawned, and network connections have been established.
As we can see, the processhollowing.exe executable has spawned an instance of svchost.exe. After this, svchost.exe spawned a cmd.exe child-process. This an uncommon behavior for a svchost.exe executable.
Looking at the processhollowing.exe executable, we can see that it has created an svchost.exe child-process. Which is one indicator of compromise (IOC). Labelled as ‘crossproc’, we can also see that a handle to a thread in svchost.exe was created.
A cmd.exe child process was spawned from the parent process svchost.exe, which led to a TCP network connection to the IP address 192.168.1.55 on port 4444. This is the attackers command and control server.
Indicators of Compromise (IOC) and Detection of the Attack
There are multiple IOC that detect this type of attack. In Carbon Black EDR, SANS has their own threat intelligence feed that detect potential attacks. Please review the following:
1. Having the svchost.exe process be a child process of an unsigned executable.
2. Having PowerShell, CMD, CScript or WScript be the child process of svchost.exe.
3. Having the svchost.exe process being owned by a username other than the ones defined in the ruleset.
4. Having svchost.exe be a child process of an executable that’s not in the ruleset.
cb.urlver=1&q=(childproc_name:svchost.exe digsig_result:unsigned)
cb.urlver=1&q=((process_name:powershell.exe OR process_name:cmd.exe OR process_name:cscript.exe OR process_name:wscript.exe) parent_name:svchost.exe)
cb.urlver=1&q=process_name:svchost.exe -(username:SYSTEM OR username:”NETWORK SERVICE” OR username:”LOCAL SERVICE” OR cmdline:”UnistackSvcGroup” OR cmdline:ClipboardSvcGroup OR cmdline:BcastDVRUserService)
cb.urlver=1&q=(process_name:svchost.exe parent_name:* -parent_name:services.exe -parent_name:svchost.exe -parent_name:rpcnet.exe -parent_name:rpcnetp.exe -parent_name:explorer.exe -parent_name:mrt.exe -parent_name:msmpeng.exe)
Axon Technologies proactively and continuously develops IOC queries that are posted on our Github page (Link).
