The most common MITRE ATT&CK tactic utilized by attackers in their malware was Process Injection. Process injection is a common defense obfuscation technique used in malware that involves running customized code in another process’s main memory. This is also defined as fileless malware
As per the Mitre framework, “Attackers may inject code into processes to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.”
Process Injection allows payloads to be launched within the memory area of a running process, without requiring malicious code to be sent to disc in many circumstances. It allows attackers to carry out malicious behavior via proxy through processes that either contain valuable information (e.g., lsass.exe) or merge in with apparently perfectly natural processes. Malicious activity, whether it’s an explicitly malicious binary or an integrated process, mixes in with normal operating system operations in this way.
Despite the fact that there are a variety of process injection techniques available. The following are some of the most commonly utilized.
- DLL Injection
- P.E. Injection
- Process Hollowing
- Hook Injection
Process Injection is used by attackers in a variety of ways. The following is an attacker’s perspective on the process injection:
- Customized processes may be detected sooner by security controls. As a result, threat actors misuse standard Windows processes like:explorer.exe, svchost.exe, regsvr32.exe, dllhost.exe, services.exe, cvtres.exe,msbuild.exe, RegAsm.exe
- RegSvcs.exe, rundll32.exe,arp.exe, PowerShell.exe, vbc.exe, csc.exe, AppLaunch.exe, and cmd.exe.These are local Windows processes that come pre-installed, so it is challenging for the blue team to identify the attack. Common software processes which we use on daily basis like iexplore.exe, ieuser.exe, opera.exe, chrome.exe, firefox.exe, outlook.exe, and msinm.exe will be also used by the attackers.
- Attackers will inject malware into browsers to normalize network connections that would appear suspicious if launched by a process other than perhaps a browser.
- Embedding code into a browser process to allow spying on a user’s browsing session, a typical feature of banking and other credential-stealing Trojans.
- Most attackers will try to inject the DLLs into the currently running process via remote feature.
- Microsoft products such as office, word, and pre-installed software executables with a high reputation like notepad are mostly used by adversaries to establish external network connections and then inject code to carry out destructive tasks. Microsoft Office apps are used to inject RemoteThreads into dllhost.exe instead of creating suspicious child processes to perform attacks with malicious macros.
- The below .exe files are mostly used by the adversaries for the process injection:
- lsass.exe – used to extract credentials and to dump memories
- svchost.exe – Malware programmers, such as those that create viruses, worms, and Trojan horses, give their processes a similar filename to avoid detection.
- Taskhost.exe – this process will check the Windows Registry on startup to discover dll-based services that need to be loaded. Since it is a generic process that acts as a host for processes that run from dynamic-link libraries (DLL) instead of exe, it can be initiated by lsass.exe into Taskhost.exe.
How to detect process injection:
- Sysmon can be configured to detect process injection:
- Sysmon is used to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time.
- With the EventID:8 of Sysmon, we can detect the Process Injection technique. Sysmon Event ID 10 will track if the target process is requested and/or granted. Monitor this event in any SIEM products to detect the Process Injection technique.
- Monitoring: Although injection can be undetectable by some techniques of process monitoring, the impacts of the injection become more difficult to miss when comparing process behaviors’ to predicted functionality.
- ptrace system call provides a means by which one process (the “tracer”) may observe and control the execution of another process (the “tracee”), and examine and change the tracee’s memory and registers. This is used in the Linux system. So, monitoring the ptrace system calls on Linux will be more helpful.
- If an API call is called by CreateRemoteThread, it signifies that a process is injecting code into another process via the Windows API. So, monitoring the API system calls that include CreateRemoteThread in Windows by creating a simple rule will help us to detect process injection.
- Creating a rule based on if any unwanted process initiate from the command-line tool is one of the detecting methods.
- The last detection method is the Process Monitor, which can effectively detect Process Injection.
- Sometimes, a legitimate process will be involved in unexpected things. This might be a connection initiating towards an external network via a genuine process or writing files with unwanted command-line arguments. Abnormal process behavior patterns to watch out for include:
- If a process svchost.exe is executing without corresponding command lines and establishing TCP/447 and TCP/449 network connections.
- If CreateRemoteThread is called out by a process mshta.exe.
- If notepad.exe is establishing external network connections.
- Process executions without command-line arguments for rundll32.exe, regasm.exe, regsvr32.exe, regsvcs.exe, svchost.exe, and werfault.exe may reveal they are Process Injection primary targets.
- Consider the reputation of the strange process that sought access to lsass.exe as suspicious behavior.
- If the powershell.exe process is accessed from an unsigned executable stored in a world-writable directory such as APPDATA or ProgramData, etc. is an unexpected command line.
- Filtering out the False positives:
- While creating rules with the above-mentioned processes, sure we will get more false positives. To combat false positives, it will be necessary to compare normal to unusual activities. To avoid those, fine-tuning is the important feature, the soc team needs to be engaged in.
- For the CreateRemoteThread method, mostly it will be a genuine activity. Here, we need to concentrate the efforts on odd source processes, such as Microsoft Office programs and tools that are typically used to distribute first-stage malware such as scripts and Mshta.
- svchost.exe and lsass.exe are common processes targeted for Process Injection. Because of the exponential increase, identifying known processes that may execute code can help to limit the number of false positives.
Reflective DLL Injection:
What is DLL:
- A dynamic link library (DLL) is a collection of small programs that can be loaded when needed by larger programs and used at the same time.
- A DLL is a library that contains code and data that can be used by more than one program at the same time.
- When DLL is loaded in Windows, the LoadLibrary function is called and that takes the file path of a DLL and loads it into memory.
- This approach can also be used to accomplish a DLL injection, which involves loading and executing code in the context of another process. Because DLLs are designed to be loaded at run time, the code is placed as a DLL. Attackers gain various advantages by running code in the context of another process, including access to the process’s memory and permissions.
- It also gives opponents the ability to hide their actions under a legitimate process.
What is Reflective DLL Injection?
“DLL loading from memory rather than the disc is referred to as reflective DLL loading”
Since Windows doesn’t have a LoadLibrary function that supports this, attackers will develop their own, skipping some of the steps Windows takes automatically, such as registering the DLL as a loaded module in the process, and potentially avoiding DLL load monitoring.
Possibilities of mitigation:
- Restricting access to specific API calls will almost certainly have unintended consequences, such as making legitimate software inoperable. So we need to make sure before restricting the API calls.
- Mostly AV won’t catch this injection. Because attackers go to tremendous lengths to avoid the standard reflection injection code execution function, CreateRemoteThread(), to elude AV. This is only possible via customized rules.
- Keeping an eye on API calls for a range of code injections can produce more logs and it is not effective for the security team, because benign use of API functions might be hard to separate from malicious execution.
- Whitelisting the tools or restricting Software Policies and identifying or preventing possible harmful software may reduce the attacks.
Most of the process injection attacks use a custom function that can easily avoid detection. So, familiarizing the old attacks and creating rules based on them will improve the detection level.