Common Information
Type Value
Value
Process Injection - T1055
Category Attack-Pattern
Type Mitre-Enterprise-Attack-Attack-Pattern
Misp Type Cluster
Description Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. ===Windows=== There are multiple approaches to injecting code into a live process. Windows implementations include: (Citation: Engame Process Injection July 2017) * '''Dynamic-link library (DLL) injection''' involves writing the path to a malicious DLL inside a process then invoking execution by creating a remote thread. * '''Portable executable injection''' involves writing malicious code directly into the process (without a file on disk) then invoking execution with either additional code or by creating a remote thread. The displacement of the injected code introduces the additional requirement for functionality to remap memory references. Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue. (Citation: Endgame HuntingNMemory June 2017) * '''Thread execution hijacking''' involves injecting malicious code or the path to a DLL into a thread of a process. Similar to Process Hollowing, the thread must first be suspended. * '''Asynchronous Procedure Call''' (APC) injection involves attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process's thread. Queued APC functions are executed when the thread enters an alterable state. AtomBombing (Citation: ENSIL AtomBombing Oct 2016) is a variation that utilizes APCs to invoke malicious code previously written to the global atom table. (Citation: Microsoft Atom Table) * '''Thread Local Storage''' (TLS) callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. (Citation: FireEye TLS Nov 2017) ===Mac and Linux=== Implementations for Linux and OS X/macOS systems include: (Citation: Datawire Code Injection) (Citation: Uninformed Needle) *'''LD_PRELOAD, LD_LIBRARY_PATH''' (Linux), '''DYLD_INSERT_LIBRARIES''' (Mac OS X) environment variables, or the dlfcn application programming interface (API) can be used to dynamically load a library (shared object) in a process which can be used to intercept API calls from the running process. (Citation: Phrack halfdead 1997) *'''Ptrace system calls''' can be used to attach to a running process and modify it in runtime. (Citation: Uninformed Needle) *'''/proc/[pid]/mem''' provides access to the memory of the process and can be used to read/write arbitrary data to it. This technique is very rare due to its complexity. (Citation: Uninformed Needle) *'''VDSO hijacking''' performs runtime injection on ELF binaries by manipulating code stubs mapped in from the linux-vdso.so shared object. (Citation: VDSO hijack 2009) Malware commonly utilizes process injection to access system resources through which Persistence and other environment modifications can be made. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel. Detection: Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC, and those that can be used to modify memory within another process, such as WriteProcessMemory, may be used for this technique. (Citation: Engame Process Injection July 2017) Monitoring for Linux specific calls such as the ptrace system call, the use of LD_PRELOAD environment variable, or dlfcn dynamic linking API calls, should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods. (Citation: ArtOfMemoryForensics) (Citation: GNU Acct) (Citation: RHEL auditd) (Citation: Chokepoint preload rootkits) Monitor for named pipe creation and connection events (Event IDs 17 and 18) for possible indicators of infected processes with external modules. (Citation: Microsoft Sysmon v6 May 2017) Monitor processes and command-line arguments for actions that could be done before or after code injection has occurred and correlate the information with related event information. Code injection may also be performed using PowerShell with tools such as PowerSploit, (Citation: Powersploit) so additional PowerShell monitoring may be required to cover known implementations of this behavior. Platforms: Linux, macOS, Windows Data Sources: API monitoring, Windows Registry, File monitoring, DLL monitoring, Named Pipes, Process Monitoring Effective Permissions: User, Administrator, SYSTEM, root Defense Bypassed: Process whitelisting, Anti-virus Permissions Required: User, Administrator, SYSTEM, root Contributors: Anastasios Pingios
Details Published Attributes CTI Title
Details Website 2023-05-28 7 botnet hiding under valid dns
Details Website 2023-05-23 30 Acheron - Indirect Syscalls For AV/EDR Evasion In Go Assembly - RedPacket Security
Details Website 2023-05-22 23 What Is MITRE ATT&CK?
Details Website 2023-05-22 44 Back in Black: BlackByte Ransomware returns with its New Technology (NT) version
Details Website 2023-05-22 141 IcedID Macro Ends in Nokoyawa Ransomware - The DFIR Report
Details Website 2023-05-20 0 Book Summary – “Evasive Malware: Understanding Deceptive and Self-Defending Threats”
Details Website 2023-05-18 1 Smoke Loader ShellCode Analysis
Details Website 2023-05-17 5 Merdoor Malware Detection: Lancefly APT Uses a Stealthy Backdoor in Long-Running Attacks Against Organizations in South and Southeast Asia - SOC Prime
Details Website 2023-05-17 25 AndoryuBot's DDOS Rampage
Details Website 2023-05-16 3 Hack KeePass - Extract KeePass master password from Memory using this tool
Details Website 2023-05-15 1 Introducing CS2BR pt. I – How we enabled Brute Ratel Badgers to run Cobalt Strike BOFs
Details Website 2023-05-15 148 Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors
Details Website 2023-05-12 138 Securonix Threat Labs Security Advisory: Latest Update: Ongoing MEME#4CHAN Attack/Phishing Campaign uses Meme-Filled Code to Drop XWorm Payloads
Details Website 2023-05-11 0 Nighthawk 0.2.4 - Taking Out The Trash - MDSec
Details Website 2023-05-09 19 Threat Assessment: Royal Ransomware
Details Website 2023-05-06 17 TryHackMe| Abusing Windows Internals
Details Website 2023-05-05 50 Elastic users protected from SUDDENICON’s supply chain attack — Elastic Security Labs
Details Website 2023-05-01 47 SeroXen RAT for sale
Details Website 2023-04-28 19 Unlocking the power of Red Teaming: An overview of trainings and certifications
Details Website 2023-04-28 32 Citrix Users at Risk: AresLoader Spreading Through Disguised GitLab Repo
Details Website 2023-04-27 1 Hackers used fake Chrome updates to distribute malware
Details Website 2023-04-25 48 The Claws of Evilcode Gauntlet - XWorm RAT   - Avira Blog
Details Website 2023-04-25 54 Anomali Cyber Watch: Two Supply-Chain Attacks Chained Together, Decoy Dog Stealthy DNS Communication, EvilExtractor Exfiltrates to FTP Server
Details Website 2023-04-25 3 RSA 2023 Update: Cynet unveils updates to endpoint detection and prevention services
Details Website 2023-04-24 12 Mustang Panda - PE Injection through Opera Mail - K7 Labs