Hunting injected processes by the modules they keep


relatively recent post showed how Metasploit’s Meterpreter module made some noise on endpoints when the migrate command was used to move the agent code into a legitimate process, spoolsv.exe in our example.
One of the things we saw in that post was that when the agent migrates, it uses commonplace injection techniques that result in three dlls being reflectively loaded into the target process. These dlls are not registered with the process and therefore don’t show up in the output of something like listdlls, but we were able to find them using gleeda’smemtriage in combination with Volatility’smalfind plugin. Worth mentioning again, memtriage is really useful because it facilitates some memory analysis without the need for a full memory dump. See the other post for details.
We also noted that these three dlls have dependencies on native Windows dlls and these dozen or so dlls are loaded at the time of agent migration. Depending on how long the target process has been running, these may be “late loaded dlls,” which could be a powerful detection. These late loaded dlls are registered in the process, so we can go hunting for them using something like listdlls,  PowerShell’s Get-Process cmdlet or a relatively new Kansa module built around the Get-Process cmdlet — Get-ProcessesUsingModules.ps1.

Read more…