We believe there isn’t enough content available to detect advanced adversary techniques. That’s why every two weeks on “FalconFriday”, we will release hunting queries to detect offensive techniques. Today: part four!

Today’s content:

• Process injection using the CreateRemoteThread API.
• Suspicious CPL files being loaded (https://attack.mitre.org/techniques/T1218/002/).

Process Injection

Process injection is a well-known and well-documented technique often used by attackers. There are a wide variety of ways to perform process injection and the most “classic” techniques uses the CreateRemoteThread API. However, this technique is still used in practice by attackers as it’s the most straightforward way; and detection capabilities of AV/EDR products on this technique are still lacking.

One of the reasons it’s so hard to detect process injection based on CreateRemoteThread is because legit software is doing it all the time. To give you a feeling, according to Defender ATP (DATP), the API has been used 184 times in the last 7 days just on my machine with normal office use (security research is done on a separate machine). This makes it really hard to identify malicious and legit uses of process injection. Our hunt for this week leverages the FileProfile function in DATP to make the results manageable.

The FileProfile function enriches your query with information from DATP. It adds info such as “How often has this file been seen globally by DATP” (i.e. Global Prevalence), “How often has this file been seen in your environment” (i.e. Local Prevalence), “Is there a digital signature on the file”, “Who signed the file”, etc. You can read the full docs here.

In this query we list all uses of “CreateRemoteThread” where the executable calling this API is observed less than 500 times globally by Microsoft. For signed executables, the threshold is set to 200.

You can find the query here on GitHub, we tagged it as T1055-WIN-001.md.

A few considerations:

• The thresholds require fine-tuning for your environment. Lower is better, but it needs to be balanced with the false positive rate. Set the values as low as possible, where the false positive rate is still acceptable for you.
• Should a valid signature be a reason to have a lower threshold for your environment?
• Process injections originating from legit binaries are (by design) not detected by this rule. E.g. malware running in a real svchost.exe injecting into another process is not detected, as svchost.exe is a legit binary (i.e. hash of file is observed >200 times globally).
• Process injection techniques that use other Windows APIs such as SetThreadContext/QueueUserAPC/SetWindowHookEx and are not covered.

Like to read more about this ?

• https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
• https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All-wp.pdf
• https://www.ired.team/offensive-security/code-injection-process-injection
• https://attack.mitre.org/techniques/T1055/

Suspicious CPL files

CPL files are “Control Panel” files, which allow developers to extend the default Windows control panel with custom items. There are two types of CPL files. For the legacy format, these are just .DLL which export a function called “Cplapplet”. According to the documentation, new CPL files should be an .EXE which follow the “task flow layout” — not sure what that means…

Regardless of which type is used, it always triggers an “ImageLoad” of the .CPL file in the process memory of another process. We can leverage this unique extension, combined with the FileProfile enrichment function, to identify suspicious CPL files.

This query works by first identifying all unique SHA1 hashes of files with the .CPL extension being loaded into memory as a module. Then the FileProfile function is used to enrich the table, and finally we select all ImageLoad events of .CPL files which are seen less than 100 times by Microsoft globally. Or, when the .CPL is properly signed, less than 50 times globally.

You can find the query here on GitHub, we tagged it as T1218-WIN-001.md.

A few considerations:

• The thresholds for “Global Prevalence” are dependent on how sensitive you’d like the rule to be. Increasing the values will give you more false positives, but also less false negatives, and vice versa.
• The selected timeframe should be sufficiently short to ensure that the number of unique CPL hashes is < 1000, because of the limitations in the FileProfile function.

Like to read more about this?

• https://www.ired.team/offensive-security/code-execution/executing-code-in-control-panel-item-through-an-exported-cplapplet-function
• https://docs.microsoft.com/en-us/windows/win32/shell/using-cplapplet
• https://www.ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
• https://attack.mitre.org/techniques/T1218/011/
• https://attack.mitre.org/techniques/T1218/002/

Disclaimers

• Don’t expect to copy-paste the queries in your environment and be done with it. We provide a foundational query which can detect a certain technique. You will need to fine-tune/extend the query to your organisation’s specifics to make it work in your environment and integrate into your monitoring solution.
• The queries will be free to use in any way you like, although we appreciate a reference back to @falconforceteam Twitter / FalconForce GitHub.
• Direct link to our FalconFriday Github page: https://github.com/FalconForceTeam/FalconFriday

The FalconForce Medium page with the bi-weekly articles can be found HERE.

Knowledge center

Other articles

FalconForce realizes ambitions by working closely with its customers in a methodical manner, improving their security in the digital domain.

KVK 76682307
BTW NL860745314B01