Malware often uses legitimate executable files to load malicious DLLs into a system, allowing it to execute its code and evade detection by security software. This is accomplished through a technique known as DLL hijacking, in which malware places a malicious DLL in a location where a legitimate executable file will search for and load it. Once the malicious DLL is loaded, it can execute its code and provide the attacker with access to the system. This can be a challenging threat to detect and defend against, as it relies on the use of legitimate processes and can appear as normal activity to security software.
What comes to mind when you hear Modules or DLLs in the world of DFIR? Volatility? What a fantastic tool to dig into loaded DLLs, Handles etc. But it’s not exactly scalable. FOR532 is trying to bridge the gap and it does look like an interesting course!
Anyway, for day-to-day investigations, EDR is our bread and butter. This is a quick and dirty blog spun up together to walk you through 2 interesting incidents as an example. It’s not always obvious, but if you suspect a wrongdoing involving DLLs or device drivers, there’s no harm in sweeping for any outliers.
Understanding the techniques involved is half the battle. But you’re always going to rely on one or the other tool/platforms to unearth malicious activity within an environment.
I had the privilege to play around with SentinelOne’s newest Deep Visibility Data Types:
In layman terms - S1 has made it easier (and quicker!) for you to investigate any suspicious DLLs or Kernel Drivers being loaded by legitimate/suspicious executable files.
In contrast, Carbon Black has modload which records the same exact thing.
If you’re reading this, I’m pretty sure you must be familiar with the attack.
SmoothOperator | Ongoing Campaign Trojanizes 3CXDesktopApp in Supply Chain Attack - SentinelOne
At its very core, an update triggered by 3CX software pulls in a tampered MSI which contains malicious versions of ffmpeg.dll and d3dcompiler.dll which were weaponized, compiled and signed at the source.
The green box in the image is where we can focus our attention to detect the activity. This is where SentinelOne's Deep Visibility(or any EDR for that matter) can help identify suspicious DLLs or kernel drivers being loaded by legitimate or suspicious executable files.
Brilliant Illustration by Thomas Roccia
If we know the malicious artifacts such as DLL names, we can work our way backwards into finding which application/executable files might be loading them into memory: