DLL劫持——DLL sideloading 检测,4个检测点:同名DLL的覆盖(关键点),rundll32进程(关键点),cmd的父进程是rulldll32,rundll32出来一个tcp外联(有C2才算)!
https://flangvik.com/privesc/windows/bypass/2019/06/25/Sideload-like-your-an-APT.html
我是按照这个链接进行复现的,文章里使用的是notepad++,但是最新的notepad++已经没有了libcurl,所以我自己找的是XunjiePDFEditor.exe 这个。安装文件的名字是:Installer_迅捷PDF编辑器_r1.7.4.exe
最后获得了反弹shell:
xunjiepdf的目录放置感染的DLL,原始的libcurl是682KB,而挂马的dll是46KB,双击xunjiepdfediter.exe即出现上图。
我们看下sysmon采集的数据:
1、首先是进程创建
2、然后是调用dll,看来是会运行rundll32!!!所以
Process Create: RuleName: - UtcTime: 2022-04-25 11:14:13.608 ProcessGuid: {d418462b-8285-6266-7606-000000000500} ProcessId: 5712 Image: C:\Windows\SysWOW64\rundll32.exe FileVersion: 10.0.19041.746 (WinBuild.160101.0800) Description: Windows host process (Rundll32) Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: RUNDLL32.EXE CommandLine: rundll32.exe CurrentDirectory: C:\Users\bonel\AppData\Roaming\HuDun\XJPDFEditor\ User: DESKTOP-CIBNM6P\bonel LogonGuid: {d418462b-52ca-6266-3898-030000000000} LogonId: 0x39838 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: MD5=889B99C52A60DD49227C5E485A016679,SHA256=6CBE0E1F046B13B29BFA26F8B368281D2DDA7EB9B718651D5856F22CC3E02910,IMPHASH=30B6D4AA5B2B125B0ABCA749B5D12B3A ParentProcessGuid: {d418462b-8285-6266-7506-000000000500} ParentProcessId: 4144 ParentImage: C:\Users\bonel\AppData\Roaming\HuDun\XJPDFEditor\XunjiePDFEditor.exe ParentCommandLine: "C:\Users\bonel\AppData\Roaming\HuDun\XJPDFEditor\XunjiePDFEditor.exe" ParentUser: DESKTOP-CIBNM6P\bonel
3、这个网络连接也是rundll32这个进程发起的
Network connection detected: RuleName: - UtcTime: 2022-04-25 11:14:13.677 ProcessGuid: {d418462b-8285-6266-7606-000000000500} ProcessId: 5712 Image: C:\Windows\SysWOW64\rundll32.exe User: DESKTOP-CIBNM6P\bonel Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: 192.168.169.156 SourceHostname: DESKTOP-CIBNM6P SourcePort: 49482 SourcePortName: - DestinationIsIpv6: false DestinationIp: 192.168.168.96 DestinationHostname: - DestinationPort: 8888 DestinationPortName: -
4、启动cmd的时候,可以看到cmd的父进程是rundll32。
Process Create: RuleName: - UtcTime: 2022-04-25 12:02:08.395 ProcessGuid: {d418462b-8dc0-6266-9e06-000000000500} ProcessId: 4940 Image: C:\Windows\SysWOW64\cmd.exe FileVersion: 10.0.19041.746 (WinBuild.160101.0800) Description: Windows Command Processor Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: Cmd.Exe CommandLine: C:\Windows\system32\cmd.exe CurrentDirectory: C:\Users\bonel\AppData\Roaming\HuDun\XJPDFEditor\ User: DESKTOP-CIBNM6P\bonel LogonGuid: {d418462b-52ca-6266-3898-030000000000} LogonId: 0x39838 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: MD5=D0FCE3AFA6AA1D58CE9FA336CC2B675B,SHA256=4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22,IMPHASH=392B4D61B1D1DADC1F06444DF258188A ParentProcessGuid: {d418462b-8da8-6266-9d06-000000000500} ParentProcessId: 1664 ParentImage: C:\Windows\SysWOW64\rundll32.exe ==》这个是检测点!!! ParentCommandLine: rundll32.exe ParentUser: DESKTOP-CIBNM6P\bonel
5、最后退出进程的时候会有一个注册表设置的动作
Registry value set: RuleName: InvDB EventType: SetValue UtcTime: 2022-04-25 12:02:46.545 ProcessGuid: {d418462b-52a1-6266-1600-000000000500} ProcessId: 496 Image: C:\Windows\System32\svchost.exe TargetObject: HKU\S-1-5-21-3082954643-951221807-432565169-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\bonel\AppData\Roaming\HuDun\XJPDFEditor\XunjiePDFEditor.exe Details: Binary Data User: NT AUTHORITY\SYSTEM