Finding .Net Assemblies
With all the buzz around #WhisperGate, something stood out to me not covered in a few articles. Elastic called out the move and process hollowing into InstallUtil.exe. For us, we have content written around InstallUtil.exe and there are many Atomics we’ve tested and modified, but the moving and process hollowing — I didn’t have. In particular, I know from experience watching a .net assembly get moved and hollowed into there will be no command-line arguments. Most my content will not fire. However, the move of it is important to me now. From work in the past, I know there are many native .Net assemblies on Windows. Some even come in via SDKs or other developer tools. The native ones are probably the most interesting. How do we find them?
I found this written by TheWover — Find-Assemblies.ps1 (We wrote something similar previously, but this is much sexier for sharing)
This is very easy to use. For my use case, I ran this against both Server 2016 and Windows 11. I know I am not getting _everything_ , but at least we’re getting 43 of the most common.
. .\Find-Assemblies.ps1 -Directory 'C:\Windows' -Recurse
With this list, I deduped out the binary names and paths and created a Splunk lookup. This requires the latest Sysmon TA and CIM 4.20 and up, and ESCU.
Upload to Splunk as a new lookup, give it a name.
Now, let’s test it out. I pulled the common paths out of my list and excluded them.
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where NOT (Processes.process_path IN ("*\\Windows\\ADWS\\*","*\\Windows\\SysWOW64*", "*\\Windows\\system32*", "*\\Windows\\NetworkController\\*", "*\\Windows\\SystemApps\\*", "*\\WinSxS\\*", "*\\Windows\\Microsoft.NET\\*")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_path Processes.process_id Processes.parent_process_id
| `drop_dm_object_name("Processes")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`Then I will add my lookup
| lookup update=true is_net_windows_file_origname filename as process_name OUTPUT netFile
| lookup update=true is_net_windows_file_origname originalFileName as original_file_name OUTPUT netFile
| search netFile=TrueA bit of sorcery here. I learned that you can do two lookups like such and it sort of changed the game on this query for me. In particular, if the binary is moved and renamed, well, it will not be called installutil.exe. The first lookup is the process_name and the second is using the original_file_name. I cross referenced between my local system and Strontic, so they should _all_ be accurate. Update as needed.
Final query:
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where NOT (Processes.process_path IN ("*\\Windows\\ADWS\\*","*\\Windows\\SysWOW64*", "*\\Windows\\system32*", "*\\Windows\\NetworkController\\*", "*\\Windows\\SystemApps\\*", "*\\WinSxS\\*", "*\\Windows\\Microsoft.NET\\*")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_path Processes.process_id Processes.parent_process_id
| `drop_dm_object_name("Processes")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| lookup update=true is_net_windows_file_origname filename as process_name OUTPUT netFile
| lookup update=true is_net_windows_file_origname originalFileName as original_file_name OUTPUT netFile
| search netFile=TrueThere will definitely be other binaries out there I missed dependent upon SDKs and developer utilities, however, this is a great start.
Copy a few binaries around and run the query:
copy-item C:\Windows\WinSxS\x86_installutil_b03f5f7f11d50a3a_4.0.15744.161_none_12f75b90c6cbba6c\InstallUtil.exe c:\temp\installut.exe
This analytic will identify a moved and renamed .Net Assembly on Windows. I hope you found this useful in seeing some of the behind the scenes detection engineering that goes into writing content.
Atomics T1218.004
Splunk Content — Signed Binary Proxy Execution InstallUtil
