Scenario
In this training scenario, we will execute a ransomware payload via process hollowing, an injection / evasion technique where a process is started and has its executable code modified to do some other behavior.
In memory tradecraft is some of the hardest to detect, and even harder to have an automated response to, so it is often ignored. Memory is by definition volatile, and always changing. Identifying changes within a process' memory requires identifying relevant sections, and evaluating it during different times in a process' lifecycle to see if it has been tampered with.
Identifying it
Memory modified responses are by far the hardest to inspect. Since memory is ephemeral, it is treated like a “black box” and often kept at arms length. The good news is that as of Cyber Crucible 4.4.1.3 we now have the ability to automatically collect telemetry for modified memory samples, identifying what ranges of memory was modified, and the exact changes to them.
That kind of analysis is very cumbersome to do however, so a good first step is to check the related processes in the dashboard in order to get an idea of related behavior. Since the process in question here is a signed SQLCMD.exe, it should be obvious quickly if this is a benign SQL process, or something worse.
So far so good, just normal SQL processes, nothing necessarily suspicious or not. Although, we never like to see CMDs involved with automated responses. Lets do some more digging.
And there it is! We can keep scrolling and see more and more behaviors like these. The SQLCMD exe is running all kinds of commands to disable services, change configurations, and everything that ransomware would do preemptively.
Here we can see a small idea of what waits for us when we start to dig deeper and analyze the memory diffs. Most of the tradecraft sophisticated enough to do fully in-memory malware is also going to obfuscate its code in memory. This makes analyzing it extremely difficult, but access to the extra telemetry has already proved invaluable for incident identification, as well as behavior tuning
Relevant documentation
Mitre T1559 - Inter-Process communication can provide control over the target process from the injector once the injection is complete.
Mitre T1106 - Native APIs are often the closest access to operating system functionality for accessing files, running processes, any more.
Mitre T1569 - Injecting into a system service such as an existing
svchost
can disguise malicious code to be reported as running from a well known and trusted process.Mitre T1055 - Process injection, usually used to run malicious code in a target process while allowing the original process to continue.
Mitre T1543 - Creating or modifying a system process can disguise malicious code as a normal, trusted system process from malware detection.