4. Interactive Sessions
• For the purposes of this section, include
s
• Login with user at the consol
e
• Remote Desktop session
s
• Screen sharing (via VNC or similar software)
5. LNK Files
• Shortcuts to
fi
le
s
• Serve as extensions to Windows Explore
r
• Windows automatically creates LNKs for every
opened
fi
l
e
• To populate "Recent Files
"
• Separate list in each user pro
fi
le
9. Jump Lists
• Right-click a
taskbar icon to
show recently used
item
s
• Word shows recent
Word
fi
les, etc.
10. Where Jump Lists are
Stored
• Not human-readable, you need tool
s
• JumpLister for Windows 7-
8
• JLECmd for Windows 10 (link Ch 12t)
11. The Recycle Bin
• Located in $Recycle.Bi
n
• Contains
fi
les deleted from the hard dis
k
• But not if deleted from removable drive
s
• Or from the Command Promp
t
• Or with Shift+Delete
16. Types of Memory
• Physical (RAM chips
)
• Page
fi
l
e
• Data moved out of RAM onto the hard dis
k
• %SYSTEMDRIVE%page
fi
le.sys
17. Crash Dumps
• Can be produced when Windows crashes with
the "Blue-Screen of Death
"
• Three level
s
• Kernel Memory Dump (default
)
• Small Memory Dump (Minidump
)
• Complete Memory Dump
18. Crash Dump Storage
• %LOCALAPPDATA%Crashdump
s
• Complete Memory Dump is most useful typ
e
• But it's rarely turned on
19. Hibernation Files
• Saves the full contents of RAM on dis
k
• %SYSTEMDRIVE%Hiber
fi
l.sy
s
• It's compressed and includes metadat
a
• Link Ch 8
t
• Volatility can parse it
23. Handles
• Used to access
fi
les, devices, and more from
softwar
e
• Can help when analyzing malwar
e
• Mutants or Mutexes are used for inter-process
communicatio
n
• To lock a resource so no other process
changes it while it's in us
e
• Used by malware to prevent re-infection
24. Handles for Zeus
• Mutant _AVIRA_2108 is a
fi
ngerprint of Zeu
s
• Link Ch 12u
27. Memory Sections
• Each process has a virtual address spac
e
• Including RAM and some disk space in the
page
fi
l
e
• The OS swaps data in and out of physical
memor
y
• Virtual Address Descriptor (VAD) tre
e
• A kernel data structure that shows how
memory is used by each process (link Ch 12v)
30. Detecting Malicious DLLs
• Check for valid digital signature
s
• Known-good or -bad hash value
s
• Evidence of process-tampering attack
s
• Malware loading a DLL surreptitiously or
running code in memory
33. Other Memory Artifacts
• Network connection
s
• Loaded driver
s
• Runs in kernel, with elevated privilege
s
• Console command histor
y
• Strings in memor
y
• Credentials
34. Page
fi
le Analysis
• Has no intrinsic structur
e
• Can search for string
s
• Be careful: antivirus and host-based intrusion
detection systems leave signatures in the
page
fi
l
e
• Suspicious IP addresses, domain names,
and malware
fi
lename
s
• Windows can clear the page
fi
le on shutdown,
but this is not its default setting
36. Process Injection
• A malicious injecting process causes a
legitimate process (injected) to load and
execute malicious cod
e
• In-memory attac
k
• Disk
fi
les do not chang
e
• Injected process has no evidence indicating
which process was responsible for the injection
37. Methods of Process
Injection
• Use Windows APIs (requires Administrator or
SYSTEM privileges
)
• Force target process to load a malicious DLL
from dis
k
• Directly write malicious code to target
process's memory and invoke a remote thread
to execute it
38. Process Replacement
• Malware launches a legitimate executable in a
suspended stat
e
• Then overwrite process memory with malicious
cod
e
• Unsuspend it to execute
39. Detecting Malicious
Injection
• Memory sections with Execute, Read and Write
permission
s
• Processes that don't match corresponding disk
fi
le
s
• Links Ch 12w, 12x
41. Finding Persistence
Mechanisms
• The injecting process needs a persistence
mechanism to survive reboot
s
• So it may be found i
n
• Auto-run keys, DLL load-order hijacking, etc.
42. Hooking
• Allows code within running processes to
intercept, modify, and view events such as
function calls and data they retur
n
• Windows provides many API mechanisms to do
thi
s
• Used by legitimate program
s
• Antivirus, host-based intrusion detection
systems, application inventory software
43. Malicious Hooking
• Rootkits use hooking to hide
fi
les, processes,
registry keys, or network connection
s
• Keyloggers may use SetWindowsHookEx to
cause a malicious DLL function to be called
whenever a keyboard event occur
s
• Or use GetAsyncKeyState to constantly check
the up/down state of keys
44. Types of Hooks
• Manipulate a process's Import Address Tabl
e
• So it calls malicious functions instead of
legitimate system function
s
• Hook kernel structures such as the Interrupt
Descriptor Table (IDT) and System Service
Dispatch Table (SSDT
)
• Prevented on modern Windows systems by
Kernel Patch Protection (KPP)
45. Zeus Hook
• The next slide shows the output of
"apihooks" (a Volatility plugin
)
• On a system infected with Zeu
s
• Shows an inline hook to the HttpSendRequestA
function imported from WinInet.dll within the
process space of lsass.exe
51. Startup Folders
• Any program or shortcut in this folder is
launche
d
• On startup or login
52. Recurring Tasks
• Use "at" or "schtasks" command
s
• To make a task that recurs at regular times or
days of the wee
k
• Future and recurring scheduled tasks persist as
.job
fi
les in %SYSTEMROOT%Tasks
53. System Binary Modi
fi
cation
• Modify existing Windows binar
y
• Typically one automatically loaded on bootup
or logi
n
• Add malicious cod
e
• Time-stom
p
• Will change MD5 hash and break signature, but
not all legitimate binaries are signed
54. Careful Modi
fi
cations
• Changes that cause Windows to crash or impair
user experience will limit the attacker's ability to
persis
t
• Attackers are more likely to replace noncritical
executables or libraries
55. Defenses
• Windows File Protection in older versions
of Windows (XP, 2000
)
• Easily bypassed by a local Administrato
r
• Replaced by Windows Resource Protection
(WRP) in Windows Vista and late
r
• Requires TrustedInstaller permissions to
alter WFP-governed resource
s
• More resistant to tampering
56. The Sticky Keys Attack
• Targets sethc.ex
e
• A
fi
le that provides accessibility feature
s
• Replace sethc.exe with cmd.ex
e
• Press Shift key
fi
ve times before logo
n
• A command shell opens with SYSTEM
privilege
s
• Even works during a Remote Desktop
Protocol session
57. • No longer works on Vista and later version
s
• But there's another way to get the same result
The Sticky Keys Attack
58.
59. DLL Load-Order Hijacking
• DLLs are loaded when a program launche
s
• But DLLs might be in many different folder
s
• "KnownDLLs" registry key lists known system
DLLs and ensures that they are always loaded
from %systemroot%System32
62. DLL Load-Order Hijacking
Works When:
• ntshrui.dll is loaded by Windows Explorer and is
vulnerabl
e
• A malicious ntshrui.dll in %systemroot% will
launch when Explorer does