#5 - Legitimate Modules, Illegitimate uses
This week’s trivia isn’t a question, but actually just a fun fact.
Cobalt Strike is known to be able to live completely off the land, and that’s one of the major reasons why it’s so hard to catch! So if we can’t look for malicious modules, what can we look for?
Decompling Cobalt Strike you can actually find two lists of DLLs, x64 and x86. As you might have guessed, this is actually a list of the DLLs that Cobalt Strike requires to be able to live natively. It will do a check to make sure that these DLLs are loaded and ready to use.
So where is this useful? Doing a search for processes containing this specific list of DLLs can help narrow down suspect processes. Especially if you can compare against a list of modules that the process normally loads. I previously created a Machine Learning model to do just that. Iterate through all processes and document frequency of modules loaded into a process, alerting on anomalous module loads or sets of module loads such as the Cobalt Strike list.
Imports ca also be a great way to try and weed out suspicious processes. Comparing the imports a file has and comparing it against actual loaded modules helps.
To expand this a little further, comparing not only module names, but the paths that they were loaded out of can help detect Search order Hi-Jacking. Say, ntdll.dll might get loaded 100% of the time, but what happens if it gets loaded out of C:\Windows\?
Hopefully this brain dump was insightful, but I couldn’t find a good way to word this as a question. Bellow is both of the DLL lists:
x86
AcLayers.dll
acwow64.dll
advapi32.dll
api-ms-win-downlevel-advapi32-l1-1-0.dll
api-ms-win-downlevel-advapi32-l2-1-0.dll
api-ms-win-downlevel-normaliz-l1-1-0.dll
api-ms-win-downlevel-ole32-l1-1-0.dll
api-ms-win-downlevel-shlwapi-l1-1-0.dll
api-ms-win-downlevel-shlwapi-l2-1-0.dll
api-ms-win-downlevel-user32-l1-1-0.dll
api-ms-win-downlevel-version-l1-1-0.dll
apisetschema.dll
apphelp.dll
comctl32.dll
counters.dat
cryptbase.dll
cryptsp.dll
dnsapi.dll
FWPUCLNT.DLL
gdi32.dll
iertutil.dll
imagehlp.dll
imm32.dll
IPHLPAPI.DLL
kernel32.dll
KernelBase.dll
locale.nls
lpk.dll
mpr.dll
msctf.dll
msvcrt.dll
mswsock.dll
NapiNSP.dll
nlaapi.dll
normaliz.dll
nsi.dll
ntdll.dll
ntdll.dll
ole32.dll
oleaut32.dll
pnrpnsp.dll
profapi.dll
rasadhlp.dll
rpcrt4.dll
rsaenh.dll
sechost.dll
secur32.dll
shell32.dll
shlwapi.dll
SortDefault.nls
sspicli.dll
urlmon.dll
user32.dll
userenv.dll
usp10.dll
version.dll
wininet.dll
winnsi.dll
winrnr.dll
winspool.drv
wow64.dll
wow64cpu.dll
wow64win.dll
ws2_32.dll
wship6.dll
WSHTCPIP.DLL
x64
advapi32.dll
api-ms-win-downlevel-advapi32-l1-1-0.dll
api-ms-win-downlevel-advapi32-l2-1-0.dll
api-ms-win-downlevel-normaliz-l1-1-0.dll
api-ms-win-downlevel-ole32-l1-1-0.dll
api-ms-win-downlevel-shlwapi-l1-1-0.dll
api-ms-win-downlevel-shlwapi-l2-1-0.dll
api-ms-win-downlevel-user32-l1-1-0.dll
api-ms-win-downlevel-version-l1-1-0.dll
apisetschema.dll
comctl32.dll
counters.dat
cryptbase.dll
cryptsp.dll
dnsapi.dll
FWPUCLNT.DLL
gdi32.dll
iertutil.dll
imagehlp.dll
imm32.dll
IPHLPAPI.DLL
kernel32.dll
KernelBase.dll
locale.nls
lpk.dll
msctf.dll
msvcrt.dll
mswsock.dll
NapiNSP.dll
nlaapi.dll
normaliz.dll
nsi.dll
ntdll.dll
ole32.dll
oleaut32.dll
pnrpnsp.dll
profapi.dll
rasadhlp.dll
rpcrt4.dll
rsaenh.dll
sechost.dll
secur32.dll
shell32.dll
shlwapi.dll
SortDefault.nls
sspicli.dll
urlmon.dll
user32.dll
usp10.dll
version.dll
wininet.dll
winnsi.dll
winrnr.dll
ws2_32.dll
wship6.dll
WSHTCPIP.DLL