Home Detecting When Someone Isnt Who They Say They Are

Detecting When Someone Isnt Who They Say They Are

Using PowerShell To Find Fraudulent DLLs

We've talked a lot on here about offensive stuff as of late, so let's shift gears and think about some methods for detecting what we've done. In the image below we have a real and a fake DLL. Looking at the file details it's pretty easy to spot which one is the original.

In the supposed "libcurl.dll" we can see a lot of file details are missing. This is a good jumping off point to start working on how to detect and identify files similar to these. One quick point, I wanted to not rely on the Digital Signatures file portion primarily because legitimate files can often come without this.

At first I wanted to use Yara but Yaras strong point is detecting when strings DO exist, less so when they don't. So I moved onto Powershell.
And as you can see above, it's a lot easier and gives us what we want in a nicely formatted list. So now what we need out of this is to recursively run on a directory which we can add with $Env:USERPROFILE\Desktop in place of the file name, and we need to filter on the VersionInfo parameters to see if they're empty. Also not super difficult with the -property flag.

Hhhmmm, now which one is the real libcurl...

And there we go, we can get some quick file information from a directory and check for programs missing key publisher information. This won't catch sophisticated attackers, but you may find some interesting files worth investigating further this way.

This post is licensed under CC BY 4.0 by the author.