Using PowerShell To Find Fraudulent DLLs
We've talked a lot on here about offensive stuff as of late, so let's shift gears and think about some methods for detecting what we've done. In the image below we have a real and a fake DLL. Looking at the file details it's pretty easy to spot which one is the original.
In the supposed "libcurl.dll" we can see a lot of file details are missing. This is a good jumping off point to start working on how to detect and identify files similar to these. One quick point, I wanted to not rely on the Digital Signatures file portion primarily because legitimate files can often come without this.
At first I wanted to use Yara but Yaras strong point is detecting when strings DO exist, less so when they don't. So I moved onto Powershell.$Env:USERPROFILE\Desktop in place of the file name, and we need to filter on the VersionInfo parameters to see if they're empty. Also not super difficult with the -property flag.
Hhhmmm, now which one is the real libcurl...
And there we go, we can get some quick file information from a directory and check for programs missing key publisher information. This won't catch sophisticated attackers, but you may find some interesting files worth investigating further this way.