Versions Compared

Old Version 2

changes.mady.by.user Dennis Underwood

Saved on

compared with

New Version 3

changes.mady.by.user Mark Weideman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Forensics analysis of the memory involved with the suspended Acrobat.exe will likely indicate an issue of concern - possibly an exploit in use, if not process injection or process hollowing.

For extortion responses with a Modified Memory value of True, there is a download icon in the Root Cause Analysis column to download the Memory Diff file for the response:

...

Process Injection Analytics

...

Further investigation may be performed on the Process Injection page. Untrusted Remote Threads reading True is a good indicator whether to go here.

...

The Root Cause Analysis column also has an icon to automatically redirect you to the Injections Page to only show the related process injections to the response

...

After clicking the injections icon, you will be taken to the Process Injections page where you will see only the related process injections to the response:

...

Here in the Process Injection Events page, we see the injector process path and arguments, and the injectee path and arguments. Usually, the arguments play a very important role in memory analytics, or indicate, for instance, what powershell commands to run. The process ID’s are present as well, to assist in tracing iterative injections done as an attacker hops from process to process, or for looking up root cause analysis in the Process Creation page.Image Removed

...

How did we know rundll32.exe was really an antivirus vendor? Read on!

...

OK - let’s look at what’s going on in Process Injection Events , by searching for anything injecting into Cyber Crucible’s service.exe. by clicking the injections icon . 5 seconds later - we have our answer!

...

But wait - rundll? That’s not a hacker, is it? Surely, that’s not a hacker.exe program. Let’s do some filtering, to get our answer on the Process Creation page. We don’t have a screenshot here, but process ID’s are available for all responses and process injections. Let’s grab one for filtering, and filter just for our agent we’re focusing on.

...

go back to the responses page, and click the process creations icon to take us to the Process Creations page and automatically filter the grid to show the related process creations of this response.

...

Quick and easy, we now see that the “root” (no pun intended) was WebRoot, an antivirus vendor, spawned a rundll32.exe process to load one of WebRoot’s DLL’s, which then tried to do something with Cyber Crucible’s software, to force it to iterate through files like a data theft tool.

...