The parent-child process relationship is very helpful when it comes to defining detection rules and watchlists. For instance, anytime a winword.exe spawns a cmd.exe, powershell.exe, cscript.exe, wscript.exe, mshta.exe it is an obvious anomaly that may be a sign of an Office macro-based infection.<\/p>\n
However, insert an unexpected process in-between and the rule\/watchlist fails. Perhaps for this reason, it would be nice to have EDR rulesets that can refer not only to parents, but also to ancestors of the process.<\/p>\n
Since this relationship is prone to manipulation let’s\u00a0 have a look at a couple of possible examples:<\/p>\n
rundll32 url.dll, OpenURL file:\/\/c:\\windows\\system32\\calc.exe<\/pre>\n<\/li>\n
rundll32 url.dll, OpenURLA file:\/\/c:\\windows\\system32\\calc.exe<\/pre>\n<\/li>\n
rundll32 url.dll, FileProtocolHandler calc.exe<\/pre>\n<\/li>\n
rundll32 zipfldr.dll, RouteTheCall calc.exe<\/pre>\n<\/li>\n<\/ul>\nRunning any of these commands will launch calc.exe with the rundll32.exe as a parent.<\/p>\n
Obviously, rundll32.exe is an obvious\u00a0 bad guy too. What about we copy it first?<\/p>\n
copy c:\\windows\\system32\\rundll32.exe %appdata%\\Adobe\\adobe.exe<\/pre>\nNow, we can launch:<\/p>\n
%appdata%\\adobe\\adobe.exe url.dll, OpenURL file:\/\/c:\\windows\\system32\\calc.exe<\/pre>\n<\/li>\n
%appdata%\\adobe\\adobe.exe url.dll, OpenURLA file:\/\/c:\\windows\\system32\\calc.exe<\/pre>\n<\/li>\n
%appdata%\\adobe\\adobe.exe url.dll, FileProtocolHandler calc.exe<\/pre>\n<\/li>\n
%appdata%\\adobe\\adobe.exe zipfldr.dll, RouteTheCall calc.exe<\/pre>\n<\/li>\n<\/ul>\nAnd get the very same result, this time, with the parent process being adobe.exe.<\/p>\n
If you know any other EXE\/DLL combo that can act as a proxy, I’d be grateful if you could let me know. Thanks!<\/p>\n","protected":false},"excerpt":{"rendered":"
The parent-child process relationship is very helpful when it comes to defining detection rules and watchlists. For instance, anytime a winword.exe spawns a cmd.exe, powershell.exe, cscript.exe, wscript.exe, mshta.exe it is an obvious anomaly that may be a sign of an … Continue reading