Categorized under the MITRE ATT&ACK framework as a sub-technique of T1055 (Tactics for Defense Evasion and Privilege Escalation) Process hollowing is a well understood, and widely used, technique that malware use to avoid detection. The infamous LokiBot infection chain uses process hollowing to bypass User Account Control (UAC).
The good news and the bad news!
Luckily, most anti-viruses, such as Windows Defender can flag process hollowing.
So, everything is great, right?
Should we end the blog here? It turns out that in the real-world things are more complex. Security and usability are always at loggerheads, and settings must be tweaked to achieve a balance. Users and administrators sometimes need to (or may not realize they already have) sacrifice security for usability. Directories are often excluded from scanning. Periodically, during upgrades, anti-viruses may be temporarily disabled. All of this provides opportunities for attackers to use process hollowing.
It is critical that we reduce the window of attack by ensuring that the anti-virus has maximum coverage. However, there are still cases where compromises must be made. Even if the settings are appropriate, it is not unusual for adversaries to evade the anti-virus protections through innovative means.
EclecticIQ Endpoint Response to The Rescue
EclecticIQ Endpoint Response can help to monitor systems for process hollowing when antivirus settings are relaxed. And it does not depend on any pre-determined set of signatures to do so. So how do we do it?
It starts with our belief that at the core of the security should ‘collaboration’, which starts by weaving tools of different capabilities in a unified fabric. At the core of our agent, is the open-source osquery tool, extended with our extension. This further leverages another tool called ‘pe-sieve’ created by security researcher HasherZade (@hasherezade on Twitter) for the detection of advanced memory exploits like Process Hollowing, process doppelgänging, and reflective DLL Injection. As a result, a pe-sieve scan of one or more processes can be invoked with a simple SQL query on the endpoints in the enterprise. Additionally, tight coupling with osquery and EclecticIQ Endpoint Response provides more power to the analyst to correlate different data points and identify patterns.
Seeing is Believing
Let us walk through an example of an attack that uses process hollowing. The tool reports that it has successfully hollowed out a process. The payload, in this case, displays a dialog box that states hello.
At this stage, it doesn’t look too bad. Let’s navigate up the process tree. We use the Process Explorer to locate the entry for the dialog box that just popped up. Process Explorer has a handy tool that makes it easier to find the process that launches a UI element. Here we can see that ProcessHollowing.exe appears to have started svchost.exe, but the svchost.exe has been hollowed out and replaced with a payload code.
Because EclecticIQ Endpoint Response was running on the system on which we ran this demonstration, an alert was generated.
Fig: Alerts Dashboard
Clicking on the ‘Alerted Entry’ and ‘Investigate’ will reveal additional details on the set of activities that led to this alert.
Fig: Alerted Entry
Note that svchost.exe was launched by ProcessHollowing.exe. Clicking on the “Investigate” icon of the “Alerts” page gives us a more detailed view of the activity.
Fig: Timeline of Events around the alert and Process Tree of the alerting process
So far, most of the information can be gathered from any EDR tools. But what differentiates EclecticIQ ER is the ability to have an extended ‘R’ of enRichment, Reconnaissance, Remediation, and pRevention. In the current context, this would imply the ability to send ‘live queries’ on the alerting process. The live query is serviced by the EclecticIQ agent that also acts as the extension to the osquery and provides for 2 tables for memory scanning:
We use the process ID from the alert and query using it. The win_suspicious_process_scan_table is helpful for this. Whenever a process is looked up in this table, EclecticIQ Endpoint Response leverages the pe-sieve engine to do a memory scan of the process and checks to see if the image in memory matches the binary files on disk. If they don’t match, an entry is created in this table.
Fig: Query Results on suspicious process
The query results indicate that the modules inside the process has been “replaced” and “implanted”, which is in effect an indication of Process Hollowing. At this point, we have several options to further confirm the suspicion and take an action on the confirmed detection.
- Generate the memory dump for additional validations – As mentioned above, we have extended 2 tables in our extension for detecting memory attacks. Sending a query on the second table, “win_suspicious_process_dump”, allows us to generate a memory dump of the process. The result of the query will tell us the dump file location, which can then be extracted from the endpoint for deeper forensics.
- We can also take remediation action. A remediation action could be to run a script, delete a file, or kill a process. In this case, we first kill the process and then delete the file.
- We may also want to check if the malware has made any attempts to persist itself. One of the ways to do this is by creating a scheduled task. We can check the list of scheduled tasks using a simple SQL query.
Fig: Query for process dump
Fig: Response Action
Fig: Query on scheduled tasks installed
To summarize, in this use-case we combined the following powerful tools to simplify the detection of complex memory-based techniques of intrusion detection:
- our osquery-based agent
- our extension that captures Sysmon style events
- forensic tools, such as pe-sieve
Combined with an easy to query interface and functionality of osquery, EclecticIQ Endpoint Response offers a powerful tool that analysts can use to enrich intelligence and detect, understand, and remediate threats better and faster.
To learn more, visit EclecticIQ Endpoint Response or contact email@example.com