EDR Simulation — Hunting for Process Injection with API Monitoring
Hello World,
Hello World,
Today, We will be learning about how to use API monitoring for process injection.
Let’s get started.
Introduction
What is an EDR?
Endpoint Detection and Response (EDR), also referred to as endpoint detection and threat response (EDTR), is an endpoint security solution that continuously monitors end-user devices to detect and respond to cyber threats like ransomware and malware. [1]
What is Process Injection?
Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. [2]
Memhunter tool
The detection process is performed through a combination of endpoint data collection and memory inspection scanners. The tool is a standalone binary that, upon execution, deploys itself as a windows service. Once running as a service, memhunter starts the collection of ETW events that might indicate code injection attacks. The live stream of collected data events is fed into memory inspection scanners that use detection heuristics to down-select the potential attacks. The entire detection process does not require human intervention, nor memory dumps, and it can be performed by the tool itself at scale.
S0urce: https://github.com/marcosd4h/memhunter
Let’s perform process injection and try to find it with memhunter.
- Run “Process hacker” as Administrator
- Open notepad and find its PID in “Process hacker”
- use the injector to inject code into the notepad process
minjector.exe -m 1 -s payload.dll -t 1760
memhunter
We found the SuspiciousModule using the memhunter.
API Monitoring
Captain is an endpoint monitoring tool that aims at spotting malicious events through API hooking, improving the process of threat-hunting analysis. When a new process is created, Captain will inject a DLL into it hooking some Windows API functions.
S0urce: https://github.com/y3n11/Captain
It is time we perform our Reflective DLL injection against notepad.exe, using minjector.exe.
Steps:
- Run Monitor.ps1 from captain
- open a new notepad.exe (process)
- Perform Reflective DLL injection
We can go to the location c:\ProgramData\Captain\Reporting\events.json
You should notice functions that are related to process injection being called and used against notepad.exe.
Feel free to explore the Captain tool. It will give you a nice idea of how actual EDR works.
Hay Yay!!!
Please give me a clap if you found it to be useful and follow me to get more hacking knowledge.
You can buy me a coffee if you would like to -> https://www.buymeacoffee.com/gowthamaraj