Created
March 6, 2020 15:04
-
-
Save joswr1ght/cb88220a305c3dd48ab24bd324c92476 to your computer and use it in GitHub Desktop.
Comparing DLL List Before and After for a Process
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Start by changing to a temporary directory | |
PS C:\WINDOWS\system32> cd \temp | |
# Run the ps command to get a list of process information for a named process (in this case we use lsass) | |
# Pipe the output to Select-Object ModuleName to limit the output to just the DLLs | |
PS C:\temp> ps -Name lsass -Module | Select-Object ModuleName | |
ModuleName | |
---------- | |
lsass.exe | |
ntdll.dll | |
KERNEL32.DLL | |
KERNELBASE.dll | |
RPCRT4.dll | |
lsasrv.dll | |
msvcrt.dll | |
WS2_32.dll | |
SspiCli.dll | |
sechost.dll | |
WLDAP32.dll | |
ucrtbase.dll | |
MSASN1.dll | |
samsrv.dll | |
CRYPT32.dll | |
bcrypt.dll | |
ncrypt.dll | |
NTASN1.dll | |
Wldp.dll | |
combase.dll | |
bcryptPrimitives.dll | |
WINTRUST.dll | |
advapi32.dll | |
msprivs.DLL | |
netprovfw.dll | |
JOINUTIL.DLL | |
negoexts.DLL | |
CRYPTBASE.dll | |
CRYPTSP.dll | |
kerberos.DLL | |
KerbClientShared.dll | |
cryptdll.dll | |
mswsock.dll | |
msv1_0.DLL | |
NtlmShared.dll | |
netlogon.DLL | |
powrprof.dll | |
USERENV.dll | |
profapi.dll | |
gmsaclient.dll | |
netutils.dll | |
DNSAPI.dll | |
NSI.dll | |
IPHLPAPI.DLL | |
tspkg.DLL | |
pku2u.DLL | |
cloudAP.DLL | |
MicrosoftAccountCloudAP.dll | |
DPAPI.DLL | |
rsaenh.dll | |
wdigest.DLL | |
schannel.DLL | |
efslsaext.dll | |
dpapisrv.dll | |
SspiSrv.dll | |
KDCPW.DLL | |
scecli.DLL | |
winsta.dll | |
wevtapi.dll | |
msvcp_win.dll | |
keyiso.dll | |
NCRYPTPROV.DLL | |
ngcpopkeysrv.dll | |
OLEAUT32.dll | |
PCPKsp.dll | |
ntmarta.dll | |
tbs.dll | |
AUTHZ.dll | |
ncryptsslp.dll | |
dssenh.dll | |
gpapi.dll | |
mskeyprotect.dll | |
vaultsvc.dll | |
# Instead of allowing the output to go to the screen, redirect it to a file "before.txt" | |
PS C:\temp> ps -Name lsass -Module | Select-Object ModuleName >before.txt | |
# Next, mount the attack using Metasploit, establishing a Meterpreter shell and migrating to the lsass.exe process | |
# Once the attack is done, enumerate the DLLs and save it to the file "after.txt" | |
PS C:\temp> ps -Name lsass -Module | Select-Object ModuleName >after.txt | |
# Next, compare the two files using PowerShell Compare-Object. The results show you the new DLLs | |
# that Metasploit Meterpreter adds to the lsass process. | |
PS C:\temp> Compare-Object -ReferenceObject (Get-Content -Path .\before.txt) -DifferenceObject (Get-Content -Path .\after.txt) | |
InputObject SideIndicator | |
----------- ------------- | |
certpoleng.dll => | |
wkscli.dll => | |
WININET.dll => | |
WINHTTP.dll => | |
USER32.dll => | |
win32u.dll => | |
GDI32.dll => | |
gdi32full.dll => | |
ole32.dll => | |
PSAPI.DLL => | |
WINMM.dll => | |
WINMMBASE.dll => | |
cfgmgr32.dll => | |
SHLWAPI.dll => | |
MPR.dll => | |
NETAPI32.dll => | |
cscapi.dll => | |
# Here we see 17 (!!!!17!!!!) new DLLs added to the LSASS process, including NETAPI32.dll. Since LSASS | |
# does not normally communicate on the network, it does not need NETAPI32.dll, but Meterpreter requires | |
# it to communicate back with the attacker. This is a sure sign of compromise on a Windows system, and | |
# an indicator that the attacker had privileged access and has likely obtained password hash information | |
# from the local system. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment