Have Any Questions?
Call Now +91 8317 490 210

Process Hunting Toolkit

Abhijit Mohanta
May 8, 2024

Most of the time threat hunting is initiated by looking at the network logs or IDS IPS logs. But relying only on network logs may be enough as malwares use covert channels for communications or IDS/IPS devices might not have signatures  to catch malicious traffic. So threat hunting on endpoints is equally important. Usually threat hunters look at ETW logs on endpoints or files detected as malwares in the endpoint. It’s also important to identify malicious processes or malicious code injected into legitimate processes which can be identified by scanning processes. Process Scanning can also identify File Less malwares, processes spawned from packed malwares. Here is our “Process Hunting Toolkit”, that can help threat hunters, Incident Responders to inspect processes and hunt down malicious processes, code injections, FileLess malware on Windows. The toolkit relies on anomalies in processes, memory scanning and finding code injections in endpoints. 

You can download the binaries for the tool from the following link: https://github.com/intelliroot-tech/ProcessHuntingToolkit. (Please download the all binaries in the repo)

The zip contains executables with following functionalities:

  • ProcMemScanner_Beta.exe - hunts for malicious pattern’s in processes
  • procAnomalyScanner_Beta.exe- Detect suspicious processes on basic process attributes
  • Injected_Code_Hunter_x64.exe/Injected_Code_Hunter_x86.exe - hunts all the processes for code injections

Below are the details of the working principle of these executables.

Memory Scanning

Memory scanning is a technique with which virtual memory of  processes are scanned for malicious patterns. Memory scanning can be used to detect Fileless malwares and can also detect packed malwares when they are executed. The advantage of memory scanning is it can detect malwares with accurate nomenclature and is thus helpful to attribute malwares to Threat Actors. We have talked about memory scanning in one of our old articles here: https://www.intelliroot.com/resource-library/tools/yaraedr

Here are some advantages of memory scanner over file based malware scanner used by Antiviruses and other EDR products:

  • Detecting packed/obfuscated Malwares -  Packed malware can be detected by memory scanners when executed provided there is memory signature cath
  • File Less Malware Detection - We see a lot of attacks these days which are fileless.. These kinds of attacks render file based signatures useless. Memory signatures are effective in case of File Less Attacks.
  • Minimal Signatures updates -  Antiviruses need to update file based signatures very frequently, almost every day even for the same malware variant  as malware authors can create millions of new files from the same malware file using polymorphic packers. These files differ from each other in content but upon execution exhibit the same behavior and have the same contents in memory. But this does not happen in case of memory signature. A single memory  signature can detect almost all variants of the malware. For example, for detecting Wannacry based on file signatures, antiviruses need to update their signature almost everyday, but a single memory based signature can detect all variants of wannacry.
  • Detection Accuracy - Memory signatures are accurate with minimal false positives as they are mostly signature based and detentions are based mostly on decrypted content in memory. This is a disadvantage as they cannot detect unknown malware families.  The workaround this is use of heuristic memory signatures
  • Threat Attribution and malware nomenclature - File based signatures are not accurate in detecting malwares as the signatures are written on packed binaries. Memory signatures can detect malware accurately as a variant of malware has the same contents in memory even if different packers are used to pack it. Hence Memory scanning can be used to provide accurate names to malwares. Specific malwares are often associated with specific Threat Actors, hence if malware is identified with an accurate name, Threat Actor can also be identified. 

Almost every antivirus and EDR there has a memory scanner but at the same time memory scanning is a costly algorithm and it impacts the system’s performance. Hence most often memory scanning is disabled or triggered on very specific conditions on the endpoint products. Recently some endpoint products have developed a more efficient memory scanner with assistance features like the Intel  TDT( Threat Detection Technology). But again this may limit the memory scanning capability to systems having specific CPU and specific versions of the CPU. 

After analyzing a lot of malware, looking into their memory attributes and taking into consideration the attributes of virtual memory on Windows Operating system, we developed a lightweight memory scanner. The ProcMemScan_Beta.exe is the binary that is capable of scanning memory. The scanner now uses yara library for matching patterns but it can be replaced with other pattern matching algorithms as well. ProMemScan requires two files to work: “whitelist_process.txt”  and “sign.dat”. You can list the processes binaries which you do not want to be scanned in whitelist_process.txt. “Scan.dat” contains memory signatures to detect malwares. The rules are written in order to achieve better performance. As of now sign.dat has the rules for the following malwares and can detect only these malwares:

  • AgentTesla 
  • Blacknet RAT
  • XWorm RAT
  • Redline Stealer
  • Stealc stealer
  • Formbook
  • LummaStealer

We would be providing more updates on signatures. If you want rules for special purposes please reach out to us. We can provide rules and customization of detect APT malwares. 

To test the scanner, you need to paste this string “ScannerTestX5O-TEST-Mem”  into the notepad and then execute ProcMemScan_Beta.exe in administrator mode. Notepad should be detected as “mal_scanner_test” as shown in the image below and a log file named MemScanLogs.txt file would be created in the logs folder containing the detection.

 

Fig: testing memory scanner

In order to scan the processes in the entire system, ProcMemScan_Beta.exe needs to be executed in Administrator mode. After scanning, you would see the processes. detected in the command line. Also you would see logs created in the logs folder in file MemScanLogs.txt

The scanner can be configured to scan the system periodically by putting it into scheduled tasks but it should run in administrator mode. In future versions we push the logs in SIEM. 

Process Anomaly Scanner

Windows System Processes like svchost.exe, services.exe have some basic attributes like parent PID, process executable path, number of instances of the processes. If any processes violate these basic attributes then it is treated as suspicious. Here’s some of the basic attributes which we can use to identify suspicious processes on a Windows system:

  • Windows system processes like smss.exe, services.exe, svchost.exe, winlogon.exe, explorer.exe should run from C:\windows\system or C:\windows\sysWOW64
  • The parent of svchost should be services.exe
  • There should be 1 instance of services.exe, winglogon.exe, explorer.exe, smss.exe while 2 instances of csrss.exe. There can be any number of services.exe.
  • Malwares often drop executables into appdata and temp and run binaries from there.

The binary ProcMemScanner_Beta.exe can be used for scanning the above anomalies. Right now it’s limited to a few processes but we are going to expand the algorithms to other processes soon. The below screenshot shows a binary executing from appdata folder.

Fig: procAnomalyScanner_Beta.exe

Injected Code Hunter

A lot of malwares inject malicious code into clean system processes and execute the malicious code from inside the malicious processes in order to bypass detections. Our tool Injected_Code_Hunter_x64.exe/Injected_Code_Hunter_x86.exe can scan the system for injected code. We have already blogged about this earlier. https://intelliroot.com/resource-library/tools/injectedcodehunter. Below is a screenshot of the tool.

Fig: Injected_Code_Hunter_x86.exe/Injected_Code_Hunter_x64.exe

Conclusion

The toolkit can be used for malware analysis, sandbox automation,Threat hunting and Incident Response.Note the toolkit is not meant to replace antiviruses and EDR’s but would be certainly helpful in some cases where detections are missed. The tool can only detect malware and does not have the ability to block it. The tools are still in beta version so please let us know if you find any bugs. If you want a custom version of the tool, signatures for our memory scanner, please reach out to us.

Intelliroot’s products, services and tools help to secure organizations against Cyber Attacks. We offer VAPT, Incident Response, Threat Hunting and Malware Analysis Services. To know more about us visit our main web page.**