Windows Malware Detection

Windows.Detection.Impersonation

An access token is an object that describes the security context of a process or thread. The information in a token includes the identity and privileges of the user account associated with the process or thread. When a user logs on, the system verifies the user’s password by comparing it with information stored in a security database.

Every process has a primary token that describes the security context of the user account associated with the process. By default, the system uses the primary token when a thread of the process interacts with a securable object. Moreover, a thread can impersonate a client account. Impersonation allows the thread to interact with securable objects using the client’s security context. A thread that is impersonating a client has both a primary token and an impersonation token.

This artfiact enumerates all threads on the system which have an impersonation token. I.e. they are operating with a different token then the token the entire process has. For example mimikatz has a command called token::elevate to do just such a thing:

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # token::elevate
Token Id  : 0
User name :
SID name  : NT AUTHORITY\SYSTEM

688     {0;000003e7} 1 D 42171          NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Primary
-> Impersonated !
* Process Token : {0;000195ad} 1 F 757658339   DESKTOP-NHNHT65\mic     S-1-5-21-2310288903-2791442386-3035081252-1001  (15g,24p)       Primary
* Thread Token  : {0;000003e7} 1 D 759094260   NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Impersonation (Delegation)
View Artifact Source

Windows.Detection.Mutants

Enumerate the mutants from selected processes.

Mutants are often used by malware to prevent re-infection.

Arg Default Description
processRegex . A regex applied to process names.
MutantNameRegex .+
View Artifact Source

Windows.Detection.ProcessMemory

Scanning process memory for signals is powerfull technique. This artifact scans processes for a yara signature and when detected, the process memory is dumped and uploaded to the server.

Arg Default Description
processRegex notepad
yaraRule wide nocase ascii: this is a secret
View Artifact Source

Windows.Detection.PsexecService

PSExec works by installing a new service in the system. The service can be renamed using the -r flag and therefore it is not enough to just watch for a new service called psexecsvc.exe. This artifact improves on this by scanning the service binary to detect the original psexec binary.

NOTE that if the service is very quick we are unable to examine the service binary in time and will miss it.

Arg Default Description
yaraRule wide nocase ascii: psexec
View Artifact Source

Windows.Detection.PsexecService.Kill

Psexec can launch a service remotely. This artifact implements a client side response plan whereby all the child processes of the service are killed.

NOTE: There is an inherent race between detection and response. If the psexec is very quick we will miss it.

Arg Default Description
yaraRule wide nocase ascii: psexec
View Artifact Source

Windows.Detection.RemoteYara.Process

Scanning process memory for signals is powerful technique. This artefact scans processes with a remote yara rule.

The User can define a rule URL or use the default Velociraptor “Public” share: https://<server>/public/remote.yar

This content also provides the user the option to dump any process with hits, and the rule summary information.

The user is also recommended to add any endpoint agents that may cause a false positive into the hidden parameters pathWhitelist.

Output of the rule is process information, Yara rule name, metadata and hit data.

Arg Default Description
processRegex . Process name to scan as regex. Default All.
pidRegex . Process PID to scan as regex. Default All.
yaraURL URL of yara rule to scan with. If empty we use\nthe server’s public directory/remote.yar”\n
collectProcess Upload process of each successful hit for for\nfurther analysis.\n
printRule Report yara rule collection summary
View Artifact Source

Windows.Detection.Service.Upload

When a new service is installed, upload the service binary to the server

View Artifact Source

Windows.Detection.Thumbdrives.List

Users inserting Thumb drives or other Removable drive pose a constant security risk. The external drive may contain malware or other undesirable content. Additionally thumb drives are an easy way for users to exfiltrate documents.

This artifact watches for any removable drives and provides a complete file listing to the server for any new drive inserted. It also provides information about any addition to the thumb drive (e.g. a new file copied onto the drive).

We exclude very large removable drives since they might have too many files.

Arg Default Description
maxDriveSize 32000000000 We ignore removable drives larger than this size in bytes.
View Artifact Source

Windows.Detection.Thumbdrives.OfficeKeywords

Users inserting Thumb drives or other Removable drive pose a constant security risk. The external drive may contain malware or other undesirable content. Additionally thumb drives are an easy way for users to exfiltrate documents.

This artifact automatically scans any office files copied to a removable drive for keywords. This could be useful to detect exfiltration attempts of restricted documents.

We exclude very large removable drives since they might have too many files.

Arg Default Description
officeExtensions \.(xls xlsm
yaraRule rule Hit {\n strings:\n $a = “this is my secre … This yara rule will be run on document contents.
View Artifact Source

Windows.Detection.Thumbdrives.OfficeMacros

Users inserting Thumb drives or other Removable drive pose a constant security risk. The external drive may contain malware or other undesirable content. Additionally thumb drives are an easy way for users to exfiltrate documents.

This artifact watches for any removable drives and scans any added office documents for VBA macros.

We exclude very large removable drives since they might have too many files.

Arg Default Description
officeExtensions \.(xls xlsm
View Artifact Source

Windows.Detection.WMIProcessCreation

WMI Process creation is a common lateral movement technique. The attacker simply uses WMI to call the Create() method on the Win32_Process WMI object.

This can be easily done via the wmic.exe command or via powershell:

wmic process call create cmd.exe
View Artifact Source

Windows.Persistence.Debug

Windows allows specific configuration of various executables via a registry key. Some keys allow defining a debugger to attach to a program as it is run. If this debugger is launched for commonly used programs (e.g. notepad) then another program can be launched at the same time (with the same privileges).

Arg Default Description
imageFileExecutionOptions HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows N …
View Artifact Source

Windows.Persistence.PermanentWMIEvents

Malware often registers a permanent event listener within WMI. When the event fires, the WMI system itself will invoke the consumer to handle the event. The malware does not need to be running at the time the event fires. Malware can use this mechanism to re-infect the machine for example.

Arg Default Description
namespaces namespace\nroot/subscription\nroot/default\n
View Artifact Source

Windows.Persistence.PowershellRegistry

A common way of persistence is to install a hook into a user profile registry hive, using powershell. When the user logs in, the powershell script downloads a payload and executes it.

This artifact searches the user’s profile registry hive for signatures related to general Powershell execution. We use a yara signature specifically targeting the user’s profile which we extract using raw NTFS parsing (in case the user is currently logged on and the registry hive is locked).

Arg Default Description
yaraRule rule PowerShell {\n strings:\n $a = /ActiveXOb …
userRegex .
View Artifact Source

Windows.Persistence.Wow64cpu

Checks for wow64cpu.dll replacement Autorun in Windows 10. http://www.hexacorn.com/blog/2019/07/11/beyond-good-ol-run-key-part-108-2/

Arg Default Description
TargetRegKey HKEY_LOCAL_MACHINE\Software\Microsoft\Wow64\**
View Artifact Source