79 lines
2.7 KiB
Python
79 lines
2.7 KiB
Python
import sys
|
|
from Modules.Imports.ttp_imports import *
|
|
from Modules.submenu import build_submenu
|
|
|
|
def dll_hijacking_submenu():
|
|
"""
|
|
Submenu for DLL Hijacking detection techniques.
|
|
"""
|
|
actions = {
|
|
"1": {"description": "File System Analysis", "function": file_system_analysis},
|
|
"2": {"description": "Memory Analysis", "function": memory_analysis},
|
|
"3": {"description": "Command Line Analysis", "function": command_line_analysis},
|
|
"4": {"description": "SANS DFIR Insights", "function": sans_dfir_insights},
|
|
}
|
|
build_submenu("DLL Hijacking Detection", actions)
|
|
|
|
# Individual submenu functions
|
|
|
|
def file_system_analysis():
|
|
"""
|
|
Displays information about file system analysis for DLL hijacking detection.
|
|
"""
|
|
title = "DLL Hijacking File System Analysis"
|
|
content = """
|
|
- Look for new or unsigned `.exe` and `.dll` files in unusual locations.
|
|
- Example Indicators:
|
|
- Timestamp: 2021-02-18 03:42:31
|
|
- Impact: -
|
|
- Method: mach Meta
|
|
- File Name: `c:/ProgramData/mcoemcpy.exe` (size: 77824)
|
|
- File: `c:/ProgramData/McUtil.dll` (size: 131072)
|
|
"""
|
|
print_info(title, content)
|
|
|
|
def memory_analysis():
|
|
"""
|
|
Displays memory analysis techniques for DLL hijacking detection.
|
|
"""
|
|
title = "DLL Hijacking Memory Analysis"
|
|
content = """
|
|
- Identify system processes or DLLs loaded from unusual locations.
|
|
- Pay attention to:
|
|
- Processes running unexpected code.
|
|
- DLLs loaded from locations outside expected directories.
|
|
- Newly created DLLs and executables can indicate malicious activity.
|
|
"""
|
|
print_info(title, content)
|
|
|
|
def command_line_analysis():
|
|
"""
|
|
Displays command-line analysis techniques for DLL hijacking detection.
|
|
"""
|
|
title = "DLL Hijacking Command-Line Analysis"
|
|
content = """
|
|
- Review suspicious command-line execution patterns.
|
|
- Example:
|
|
- Command: `C:\\ProgramData\\ncoenchy.exe 0x4`
|
|
- Method: mach Meta
|
|
- Check for signs of injection or other manipulation.
|
|
"""
|
|
print_info(title, content)
|
|
|
|
def sans_dfir_insights():
|
|
"""
|
|
Displays insights from SANS DFIR training for DLL hijacking detection.
|
|
"""
|
|
title = "DLL Hijacking Insights from SANS DFIR"
|
|
content = """
|
|
- Nearly all DLL hijacks require placing a new DLL or executable onto the file system.
|
|
- Investigative Techniques:
|
|
- **File Timeline Analysis**:
|
|
- Focus on newly created files during times of interest.
|
|
- **Memory Forensics**:
|
|
- Analyze running processes for unexpected DLL locations.
|
|
- Obscure DLLs are more likely to be targeted since common DLLs are usually preloaded into memory.
|
|
- Other anomalous actions like network beaconing or named pipe creation can lead to detection.
|
|
"""
|
|
print_info(title, content)
|