Purple Team | Detecting DLL Hijacking & Credential Dumping
Hi there, I’m glad to see you here. In the dynamic world of cybersecurity, we’re diving into Purple Teaming, focusing on DLL Hijacking and Credential Dumping. From Sysmon insights to practical detection methods, this article equips you with essential knowledge to enhance your defense against evolving threats. Let’s move forward together!
What is Sysmon?
Sysmon (System Monitor) is a Microsoft tool that runs on the Windows operating system, providing the capability to monitor system activities.
You can install Sysmon by downloading it from the official Microsoft documentation.
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Once downloaded, open an administrator command prompt and execute the following command to install Sysmon:
sysmon.exe -i -accepteula -h md5,sha256,imphash -l -n
Sysmon Configuration File
The Sysmon Configuration File specifies which events Sysmon will monitor and how it will process these events. This file comes in “XML” format and contains various parameters. Users can customize Sysmon’s monitoring behaviors by editing this file.
⭐️For a comprehensive configuration, you can visit the following address:
To detect a DLL hijacking event, we need to focus on “Event Type 7 (Image Loaded)”, which corresponds to module loading events and to detect a credential dumping event, we need to focus on “Event Type 10 (Process Access)”, which corresponds to process access events.
To achieve this, we need to modify the “sysmonconfig-export.xml” Sysmon configuration file that we downloaded from the address above.
📍1.Open Configuration File: Open the “sysmonconfig-export.xml” file using a text editor (e.g., Notepad, Notepad++, Visual Studio Code).
📍2.Enable Event IDs: Navigate to the “<EventFiltering>” section in the file. This section contains the Sysmon event IDs to be enabled.
In the case of detecting DLL hijacks, we change the “include” to “exclude” to ensure that nothing is excluded, allowing us to capture the necessary data.
#Before Change
<RuleGroup name="" groupRelation="or">
<ImageLoad onmatch="include">
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
</ImageLoad>
</RuleGroup>
#After Change
<RuleGroup name="" groupRelation="or">
<ImageLoad onmatch="exclude">
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
</ImageLoad>
</RuleGroup>To increase security and detect potential credential attacks, the Sysmon configuration file has been adjusted to explicitly exclude “ProcessAccess” events as follows. This configuration is especially relevant in scenarios where tools like Mimikatz are used for credential theft.
#Before Change
<RuleGroup name="" groupRelation="or">
<ProcessAccess onmatch="include">
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
</ProcessAccess>
</RuleGroup>
#After Change
<RuleGroup name="" groupRelation="or">
<ProcessAccess onmatch="exclude">
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
</ProcessAccess>
</RuleGroup>📍3.Save Sysmon Settings: Save and close the file. Then, open a command prompt to apply this configuration to Sysmon.
📍4.Update Sysmon Configuration: In the command prompt, use the following command to update the Sysmon configuration:
sysmon.exe -c sysmonconfig-export.xml
What is a DLL File?
DLL (Dynamic Link Library) files are specialized files that contain reusable code and data, usable by various programs. Typically used on the Windows operating system, DLL files have code and data that fulfill the functionality needed by a program.
⭐️For example, “Windows Explorer”, represented by the “explorer.exe” application, contains multiple DLL files. These DLLs support the operation of “explorer.exe” by providing functionalities such as file operations and user interface controls.
What is DLL Hijacking?
DLL Hijacking is a security vulnerability where an attacker can manipulate or replace a DLL file loaded by an application, potentially causing harm to the system.
❗️This type of attack is particularly effective when an application does not explicitly specify the full file path when loading DLL files or when it loads DLLs from insecure directories.
Detecting DLL Hijacking
Firstly, we can start observing image load events with the modified Sysmon configuration. To view these events, navigate to the “Event Viewer” and access:
Applications and Services -> Microsoft -> Windows -> Sysmon
Let’s now see how a “Sysmon Event ID 7” looks like.
The event log includes information about the signing status of the DLL (in this case, it is Microsoft-signed). Additionally, it provides details about the process or image responsible for loading the DLL and specifies the particular DLL that was loaded. In our example, we notice that the “MicrosoftEdgeUpdate.exe” loaded the “msasn1.dll”, which is also signed by Microsoft.
You can view an informative blog post that provides a comprehensive list of various DLL hijacking techniques using the link below:
For the purpose of our detection, we will focus on a specific hijack involving the vulnerable executable “calc.exe” and a list of DLLs that can be hijacked.
Let’s try to hijack using “calc.exe” and “WININET.dll” as an example. We will be using Stephen Fewer’s “hello world” reflective DLL for this process.
https://github.com/stephenfewer/ReflectiveDLLInjection/tree/master/bin
After completing the necessary steps, which include renaming “reflective_dll.x64.dll” to “WININET.dll”, moving “calc.exe” along with “WININET.dll” from “C:\Windows\System32” to a writable directory (such as the “Desktop” folder), and executing “calc.exe”, we achieve success. As a result, a message box is displayed instead of the calculator application.
In this step, we will analyze the impact of the hijack. First, by clicking “Filter Current Log…” we filter the event logs to focus on “Event ID 7”, which represents module load events.
Next, we must look for instances of “calc.exe” by clicking “Find…” to identify the DLL load associated with our hijack.
In this example, “calc.exe”, originally located in “System32”, is found in a writable directory, and the “WININET.dll” originally located in “System32” is loaded outside of “System32” by “calc.exe”. Additionally, while the original “WININET.dll” is Microsoft-signed, the injected DLL remains unsigned. All these powerful IOCs provide us with an effective means to detect DLL hijacking.
Additionally, when we investigate the hash value of the reflective DLL file we use through “VirusTotal”, we may notice that this file has risk indicators.
What is OS Credential Dumping: LSASS Memory?
The term “OS Credential Dumping: LSASS Memory” refers to an attacker extracting user credentials from the operating system’s memory, particularly from the “LSASS” process.
⭐️LSASS (Local Security Authority Subsystem Service) is a crucial system component in Windows operating systems responsible for handling user authentication information.
What is Mimikatz?
Mimikatz, initially developed in 2007 by Benjamin Delpy, is a tool commonly used by both hackers and security professionals to extract sensitive information, such as passwords and credentials, from a system’s memory.
Detecting Credential Dumping
Cybersecurity encompasses the critical task of identifying activities related to credential dumping, a common threat in the digital area. Among the tools commonly used for this purpose, Mimikatz stands out, offering a range of techniques for extracting Windows credentials. Particularly, the “sekurlsa::logonpasswords” command in Mimikatz facilitates the extraction of password hashes or plaintext passwords by gaining access to the “LSASS (Local Security Authority Subsystem Service)”. LSASS plays a critical role in managing user credentials, making it a primary target for credential dumping tools like Mimikatz. The attack can be executed as follows:
The results obtained from executing the “sekurlsa::logonpasswords” command provides valuable insights into compromised credentials.
To detect such activities, we can leverage a different Sysmon event. By monitoring “Sysmon Event ID 10”, which corresponds to “ProcessAccess” events, we can identify any suspicious attempts to access LSASS.
⭐️For example, if we notice a random file (in this case “mimikatz.exe”) from a random folder (in this case “Tools”) attempts to access “LSASS”, this indicates abnormal behavior.
In conclusion, as you navigate this dynamic environment, remember: “Knowledge is your shield and vigilance is your sword!”. Keep securing, keep learning and stay one step ahead in the cybersecurity game.
Thank you for your time. See you soon! Until that time.. Happy Hacking ❤
Resources:
https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
https://github.com/SwiftOnSecurity/sysmon-config
https://learn.microsoft.com/en-us/troubleshoot/windows-client/deployment/dynamic-link-library
https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dll-hijacking
https://github.com/stephenfewer/ReflectiveDLLInjection/tree/master/bin
https://attack.mitre.org/techniques/T1003/001
https://github.com/gentilkiwi/mimikatz
https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-mimikatz
