Detecting When Someone Isnt Who They Say They Are

Using PowerShell To Find Fraudulent DLLs

We've talked a lot on here about offensive stuff as of late, so let's shift gears and think about some methods for detecting what we've done. In the image below we have a real and a fake DLL. Looking at the file details it's pretty easy to spot which one is the original.

In the supposed "libcurl.dll" we can see a lot of file details are missing. This is a good jumping off point to start working on how to detect and identify files similar to these. One quick point, I wanted to not rely on the Digital Signatures file portion primarily because legitimate files can often come without this.

At first I wanted to use Yara but Yaras strong point is detecting when strings DO exist, less so when they don't. So I moved onto Powershell.

And as you can see above, it's a lot easier and gives us what we want in a nicely formatted list. So now what we need out of this is to recursively run on a directory which we can add with $Env:USERPROFILE\Desktop in place of the file name, and we need to filter on the VersionInfo parameters to see if they're empty. Also not super difficult with the -property flag.

Hhhmmm, now which one is the real libcurl...

And there we go, we can get some quick file information from a directory and check for programs missing key publisher information. This won't catch sophisticated attackers, but you may find some interesting files worth investigating further this way.