EclecticIQ
nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Detect and Remediate Process Hollowing with EclecticIQ Endpoint Response

EclecticIQ Endpoint Security Team April 13, 2022

eer-seo-image

Categorized under the MITRE ATT&ACK framework as a sub-technique of T1055 (Tactics for Defense Evasion and Privilege Escalation) Process hollowing is a well understood, and widely used, technique that malware use to avoid detection. The infamous LokiBot infection chain uses process hollowing to bypass User Account Control (UAC).

The good news and the bad news!

Luckily, most anti-viruses, such as Windows Defender can flag process hollowing.

So, everything is great, right?

Should we end the blog here? It turns out that in the real-world things are more complex. Security and usability are always at loggerheads, and settings must be tweaked to achieve a balance. Users and administrators sometimes need to (or may not realize they already have) sacrifice security for usability. Directories are often excluded from scanning. Periodically, during upgrades, anti-viruses may be temporarily disabled. All of this provides opportunities for attackers to use process hollowing.

It is critical that we reduce the window of attack by ensuring that the anti-virus has maximum coverage. However, there are still cases where compromises must be made. Even if the settings are appropriate, it is not unusual for adversaries to evade the anti-virus protections through innovative means.

EclecticIQ Endpoint Response to The Rescue

EclecticIQ Endpoint Response can help to monitor systems for process hollowing when antivirus settings are relaxed. And it does not depend on any pre-determined set of signatures to do so. So how do we do it?

It starts with our belief that at the core of the security should ‘collaboration’, which starts by weaving tools of different capabilities in a unified fabric. At the core of our agent, is the open-source osquery tool, extended with our extension. This further leverages another tool called ‘pe-sieve’ created by security researcher HasherZade (@hasherezade on Twitter) for the detection of advanced memory exploits like Process Hollowing, process doppelgänging, and reflective DLL Injection. As a result, a pe-sieve scan of one or more processes can be invoked with a simple SQL query on the endpoints in the enterprise. Additionally, tight coupling with osquery and EclecticIQ Endpoint Response provides more power to the analyst to correlate different data points and identify patterns.

Seeing is Believing

Let us walk through an example of an attack that uses process hollowing. The tool reports that it has successfully hollowed out a process. The payload, in this case, displays a dialog box that states hello.

1

At this stage, it doesn’t look too bad. Let’s navigate up the process tree. We use the Process Explorer to locate the entry for the dialog box that just popped up. Process Explorer has a handy tool that makes it easier to find the process that launches a UI element. Here we can see that ProcessHollowing.exe appears to have started svchost.exe, but the svchost.exe has been hollowed out and replaced with a payload code.

3

Because EclecticIQ Endpoint Response was running on the system on which we ran this demonstration, an alert was generated.

5

Fig: Alerts Dashboard

Clicking on the ‘Alerted Entry’ and ‘Investigate’ will reveal additional details on the set of activities that led to this alert.

6

Fig: Alerted Entry

Note that svchost.exe was launched by ProcessHollowing.exe. Clicking on the “Investigate” icon of the “Alerts” page gives us a more detailed view of the activity.

78

Fig: Timeline of Events around the alert and Process Tree of the alerting process

So far, most of the information can be gathered from any EDR tools. But what differentiates EclecticIQ ER is the ability to have an extended ‘R’ of enRichment, Reconnaissance, Remediation, and pRevention. In the current context, this would imply the ability to send ‘live queries’ on the alerting process. The live query is serviced by the EclecticIQ agent that also acts as the extension to the osquery and provides for 2 tables for memory scanning:

  • win_suspicious_process_scan
  • win_suspicious_process_dump

We use the process ID from the alert and query using it. The win_suspicious_process_scan_table is helpful for this. Whenever a process is looked up in this table, EclecticIQ Endpoint Response leverages the pe-sieve engine to do a memory scan of the process and checks to see if the image in memory matches the binary files on disk. If they don’t match, an entry is created in this table.

10

Fig: Query Results on suspicious process

The query results indicate that the modules inside the process has been “replaced” and “implanted”, which is in effect an indication of Process Hollowing. At this point, we have several options to further confirm the suspicion and take an action on the confirmed detection.

  1. Generate the memory dump for additional validations – As mentioned above, we have extended 2 tables in our extension for detecting memory attacks. Sending a query on the second table, “win_suspicious_process_dump”, allows us to generate a memory dump of the process. The result of the query will tell us the dump file location, which can then be extracted from the endpoint for deeper forensics.
  2. We can also take remediation action. A remediation action could be to run a script, delete a file, or kill a process. In this case, we first kill the process and then delete the file.
  3. We may also want to check if the malware has made any attempts to persist itself. One of the ways to do this is by creating a scheduled task. We can check the list of scheduled tasks using a simple SQL query.

11

Fig: Query for process dump

12

Fig: Response Action

13

Fig: Query on scheduled tasks installed

Conclusion

To summarize, in this use-case we combined the following powerful tools to simplify the detection of complex memory-based techniques of intrusion detection:

Combined with an easy to query interface and functionality of osquery, EclecticIQ Endpoint Response offers a powerful tool that analysts can use to enrich intelligence and detect, understand, and remediate threats better and faster.

To learn more, visit EclecticIQ Endpoint Response or contact info@eclecticiq.com

Receive all our latest updates

Subscribe to receive the latest EclecticIQ news, event invites, and Threat Intelligence blog posts.

Explore all topics

© 2014 – 2022 EclecticIQ B.V.
EclecticIQ. Intelligence, Hunting, Response.
Get demo