DOI QR코드

DOI QR Code

A Study on the Tracking and Blocking of Malicious Actors through Thread-Based Monitoring

스레드 기반 모니터링을 통한 악의적인 행위 주체 추적 및 차단에 관한 연구

  • Received : 2020.01.09
  • Accepted : 2020.02.06
  • Published : 2020.02.29

Abstract

With the recent advancement of malware, the actors performing malicious tasks are often not processes. Malicious code injected into the process that is installed by default in the operating system works thread by thread in the same way as DLL / code injection. In this case, diagnosing and blocking the process as malicious can cause serious problems with system operation. This white paper lists the problems of how to use process-based monitoring information to identify and block the malicious state of a process and presents an improved solution.

Acknowledgement

Grant : 사이버전 모의전투 기술

Supported by : 국방과학연구소

References

  1. Myungcheol Lee, Daesung Moon and Ikkyun Kim, "Real-time Abnormal Behavior Detection System based on Fast Data," Journal of The Korea Institute of information Security & Cryptology, 25(5), pp. 1027-1041, Oct. 2015. https://doi.org/10.13089/JKIISC.2015.25.5.1027
  2. Microsoft Docs, "Filter Manager and Minifilter Driver Architecture" https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/filter-manager-and-minifilter-driver-architecture/, Jan. 7 2020.
  3. Microsoft Docs, "Process Monitor" https://docs.microsoft.com/en-us/sysinternals/downloads/procmon/, Jan. 7 2020.
  4. Microsoft Docs, "CmRegisterCallbackEx" https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-cmregistercallbackex/, Jan. 7 2020.
  5. Microsoft Docs, "PsSetCreateProcessNotifyRoutineEx" https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-pssetcreateprocessnotifyroutineex/, Jan. 7 2020.
  6. Microsoft Docs, "PsSetCreateThreadNotifyRoutine" https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-pssetcreatethreadnotifyroutine/, Jan. 7 2020.
  7. Wikipedia, "Fileless malware" https://en.wikipedia.org/wiki/Fileless_malware, Jan. 7 2020.
  8. Trendmicro, "Command and Control [C&C] Server" https://www.trendmicro.com/vinfo/us/security/definition/command-and-control-server, Jan. 7 2020.
  9. Red Teaming Experiments, "Reflective DLL Injection" https://ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection, Jan. 7 2020.
  10. Microsoft Docs, "CRITICAL_OBJECT_T ERMINATION" https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0xf4-critical-object-termination, Jan. 7 2020.
  11. Raymond J. Canzanese, Jr, "Detection and classification of malicious processes using system call analysis," Doctor of Philosophy, Drexel University, May 2015.
  12. Microsoft Docs, "PsGetCurrentProcessId" https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nfntddk-psgetcurrentprocessid/, Jan. 7 2020.
  13. Microsoft Docs, "PsGetCurrentThreadId" https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nfntddk-psgetcurrentthreadid/, Jan. 7 2020.
  14. Microsoft Docs, "CreateRemoteThread" https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethread/, Jan. 7 2020.
  15. Wikipedia, "Hash table" https://en.wikipedia.org/wiki/Hash_table, Jan. 7 2020.
  16. Wikipedia, "CryptoLocker" https://en.wikipedia.org/wiki/CryptoLocker, Jan.7 2020.
  17. Malwarebytes, "GandCrab" https://www.malwarebytes.com/gandcrab/, Jan.7 2020.
  18. PCrisk, "SymmyWare" https://www.pcrisk.com/removal-guides/13980-symmyware-ransomware, Jan. 7 2020.