App Control: Is There a Way to Monitor for Process Hollowing and dll Injection in App Control?
search cancel

App Control: Is There a Way to Monitor for Process Hollowing and dll Injection in App Control?

book

Article ID: 287203

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Is there a way to monitor for process hollowing and dll injection in App Control?

Environment

  • App Control Server: 8.1.6 and Higher

Resolution

Potentially, but certain factors come into play that could affect the visibility:
  • App Control can protect the memory address of a process if the address space is fixed. Implementing this depends on how the executable memory in the child process is filled.
  • App Control has a rapid config that blocks Doppelganging. This is when the parent process uses NTFS file transactions to overwrite a good file inside a transaction, start a program, then cancel the transaction to hide tracks.
  • If the parent process does a normal load for execute within the child process, this is detected and processed through rules as usual. Unapproved content will be blocked.
  • The parent process could generate the memory contents from some other source, which is not directly detectable. App Control can block writing of child process memory, but this could easily become a complex process. It would need testing in the client's environment to confirm the rule doesn't break legitimate operations. This would be something to pursue with Professional Services, as rule creation is out of scope with Support.

Additional Information

The Endpoint Standard product is more geared for blocking code injections, etc.