Master Function-Hooking DLLs (Part2)

Discover how to leverage Velociraptor and Windows Defender to identify and remediate malicious process activities using Function-Hooking DLLs. Uncover 7 essential checks with corresponding VQL queries and settings to enhance your security posture.

Uncover Hidden Threats with Function-Hooking DLLs: 7 Essential Process Activity Checks.

Let's discuss important sub topics under function hooking dll's.

1. Process Activity

2. Process Creation

3. Process Termination

4. Process Access

5. Image/Library Loaded

6. Remote Thread Creation

7. Process Tampering Activity

Tip #1 - Monitor Process Activity

Process Activity:

• To identify potentially malicious behavior in process activity, you can use a VQL query that looks for specific characteristics commonly associated with malicious processes. Here's an example of a VQL query that checks for processes running from unusual locations and unsigned executables:

SELECT *, pe_info(path=FullPath) AS pe
FROM pslist()
WHERE (
  -- Processes running from unusual locations
  (executable =~ "\\Users\\" AND NOT executable =~ "\\AppData\\Local\\Temp\\") OR
  (executable =~ "\\Windows\\Temp\\") OR
  (executable =~ "\\ProgramData\\")

) AND (
  -- Unsigned executables
  pe is not null AND pe.SignatureStatus != "Signed"
)

• This VQL query checks for processes running from unusual locations such as the Users folder (excluding the AppData\Local\Temp folder), the Windows\Temp folder, and the ProgramData folder. It also checks if the executable is unsigned. Keep in mind that this query may yield false positives, so you should analyse the results to determine if the detected processes are indeed malicious

Here are a few more examples of VQL queries that can help identify potentially malicious process behavior:

• Processes with suspicious parent-child relationships:

SELECT p.PID as child_pid, p.PPID as parent_pid, p.Name as child_name, parent.Name as parent_name, p.CommandLine as child_cmdline, parent.CommandLine as parent_cmdline
FROM pslist() as p
JOIN pslist() as parent ON p.PPID = parent.PID
WHERE (
  (p.Name =~ "powershell.exe" AND NOT parent.Name =~ "explorer.exe") OR
  (p.Name =~ "cmd.exe" AND parent.Name =~ "svchost.exe")
)

This query checks for PowerShell processes not spawned by Explorer and CMD processes spawned by svchost.exe, which can be indicative of malicious activity.

• Processes with potentially malicious command-line arguments:

SELECT *
FROM pslist()
WHERE (
  CommandLine =~ "-exec" OR
  CommandLine =~ "hidden" OR
  CommandLine =~ "EncodedCommand" OR
  CommandLine =~ "/c"
)

This query checks for processes with command-line arguments commonly associated with malicious behavior, such as "-exec", "hidden", "EncodedCommand", and "/c".

• Processes with high entropy (potentially encrypted or packed):

SELECT *, pe_info(path=FullPath) as pe
FROM pslist()
WHERE (
  pe is not null AND pe.Entropy > 7
)

This query checks for processes with high entropy (greater than 7), which can indicate that the process is encrypted or packed, a technique often used by malware.

Monitoring process activity is crucial part of malware detection. It is sometime inevitable to understand which process got compromised and how. These are some of the techniques we employe to detect in Cynor Sense Incident Response Service. Book your Incident Response today below.

Tip #2 - Process Creation Monitoring

Process Creation:

Detect potentially malicious process creation events by monitoring process creation activity. Use the following VQL query with Velociraptor:

name: Custom.EDR.ProcessCreation description: Collect process creation events from the event log
author: YourName
tools: []
type: CLIENT
sources:
- query: |
    SELECT
        Event.System.EventRecordID as EventRecordID,
        Event.System.EventID as EventID,
        Event.System.TimeCreated.SystemTime as TimeCreated,
        Event.EventData.Data as Data
    FROM parse_evt(
        file=FullPath,
        eventid=[4688],
        parser="evt"
    ) WHERE
        (Source == "Microsoft-Windows-Security-Auditing")

VQL 2:

SELECT * FROM watch_monitor(paths=["C:/Windows/System32"], accessor='ntfs')

To enable process creation monitoring with Windows Defender, you can use Group Policy settings or edit the registry. Here's how to do it using both methods:

1. Group Policy:

   • Press Win + R, type gpedit.msc, and hit Enter to open the Local Group Policy Editor.

   • Navigate to the following path:
     

Computer Configuration -> Administrative Templates -> Windows Components -> Microsoft Defender Antivirus -> Microsoft Defender Exploit Guard -> Attack Surface Reduction. 

• In the right pane, double-click on "Configure Attack Surface Reduction rules."
  

• Select "Enabled," and then click "Show" in the "Options" section.
  

• Add the following rule to the list:

{D4F940AB-401B-4EFC-AADC-AD5F3C50688A}=1 

• Click "OK," then "Apply," and finally "OK" again to save the settings.
  

• Close the Group Policy Editor.
  

• Open an elevated Command Prompt and type gpupdate /force to force the policy update.

2. Registry:

1. Press Win + R, type regedit, and hit Enter to open the Registry Editor.

2. Navigate to the following path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection\Settings

3. Right-click on the "Settings" key, select "New" and then "DWORD (32-bit) Value." Name the new value "D4F940AB-401B-4EFC-AADC-AD5F3C50688A."

4. Double-click the newly created value, set the "Value data" to 1, and click "OK."

5. Close the Registry Editor.

6. Restart your computer for the changes to take effect. By following the above steps, you enable process creation monitoring in Windows Defender using either Group Policy settings or the registry.

Tip #3 - Process Termination

Process Termination: VQL:

SELECT * FROM evtlog(source="Microsoft-Windows-Security-Auditing", eventid=4689)

GPO: Enable Audit Process Termination in Group Policy:

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Termination

Here's an example using Velociraptor to monitor process termination events and Windows Defender settings to harden the environment:

1. Monitor process termination events with Velociraptor:

VQL query:

SELECT *
FROM watch_monitoring(
    Query={
        SELECT *
        FROM WMI(
            "SELECT * FROM __InstanceDeletionEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_Process'")
    },
    MaxWait=60
)

This query monitors process termination events using WMI event subscriptions in Velociraptor.

3. Implement process termination event remediation:

VQL query:

SELECT *
FROM watch_monitoring(
    Query={
        SELECT *
        FROM WMI(
            "SELECT * FROM __InstanceDeletionEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_Process'")
    },
    MaxWait=60,
    Actions={
        SELECT *
        FROM Execute(
            CommandLine="powershell.exe -ExecutionPolicy Bypass -Command \"Set-MpPreference -AttackSurfaceReductionRules_Ids <rule_id> -AttackSurfaceReductionRules_Actions Enabled\"",
            ExpectResults=False
        )
    }
)
    

This query monitors process termination events using WMI event subscriptions in Velociraptor and enables the specified Attack Surface Reduction (ASR) rule in Windows Defender when an event is detected. Replace `<rule_id>` with the appropriate ASR rule ID for your environment.

Note: The examples provided are for demonstration purposes and should be adjusted to fit your specific environment and requirements. Always test changes thoroughly before implementing them in a production environment.

Tip #4 - Deterring Malicious Process Access

Process Access: VQL:

SELECT * FROM access_process()

GPO: Enable Audit Process Access in Group Policy:

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Handle Manipulation

We can use Velociraptor to monitor and remediate process access events with the following steps:

• Harden Windows Defender:

Enable the following settings using PowerShell commands to bolster Windows Defender:

Set-MpPreference -DisableRealtimeMonitoring 0
Set-MpPreference -DisableBehaviorMonitoring 0
Set-MpPreference -DisableNetworkProtection 0
Set-MpPreference -DisableOnAccessProtection 0

These settings enable real-time monitoring, behavior monitoring, network protection, and OnAccess protection in Windows Defender.

• Monitor process access events with Velociraptor:

VQL query:

SELECT *
FROM watch_monitoring(
    Query={
        SELECT *
        FROM Wmi(
            Namespace="root\\CIMV2",
            Class="Win32_Process"
        )
    },
    MaxWait=60
)

This query monitors process access events using WMI data in Velociraptor.

• Implement process access event remediation:

VQL query:

SELECT *
FROM watch_monitoring(
    Query={
        SELECT *
        FROM Wmi(
            Namespace="root\\CIMV2",
            Class="Win32_Process"
        )
    },
    MaxWait=60,
    Actions={
        SELECT *
        FROM Execute(
            CommandLine="powershell.exe -ExecutionPolicy Bypass -Command \"Set-MpPreference -AttackSurfaceReductionRules_Ids <rule_id> -AttackSurfaceReductionRules_Actions Enabled\"",
            ExpectResults=False
        )
    }
)

This query monitors process access events using WMI data in Velociraptor and enables the specified Attack Surface Reduction (ASR) rule in Windows Defender when an event is detected. Replace <rule_id> with the appropriate ASR rule ID for your environment.

Tip #5: Image/Library Loaded:

VQL:

SELECT * FROM pe_info(path=FullPath)

GPO: Enable Audit Image Load in Group Policy:

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Creation

Tip #6: Remote Thread Creation:

VQL:

SELECT * FROM evtlog(source="Microsoft-Windows-Security-Auditing", eventid=4688) WHERE ProcessId != NewProcessId

GPO: Enable Audit Process Creation in Group Policy:

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Creation

Tip #7: Process Tampering Activity:

VQL:

SELECT * FROM process_tampering()

GPO: Enable Audit Process Creation and Audit Handle Manipulation in Group Policy (as mentioned in steps 3 and 4).

These VQL queries and settings will help you monitor various function-hooking DLL activities without specifying a particular keyword. You can then analyse the results to identify any suspicious or unexpected behavior's.

Conclusion: Function-hooking DLLs can be a significant security concern, but with Velociraptor and Windows Defender, you can detect and prevent potential threats. Implement these tips to enhance your cybersecurity posture.

Don't forget to share this article and comment below with your experience using Function-Hooking DLLs for process activity monitoring!

Want to know how to monitor dead threads and process notifications?

#FunctionHookingDLLs #ProcessMonitoring #CyberSecurity #Velociraptor #WindowsDefender #ThreatDetection #EDR #InfoSec #ThreatHunting #MalwareAnalysis #CyberDefense #InfoSecurity #ChatGPT #LinkedinViral