Process Injection: Dynamic-link Library Injection

Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.

DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). [1]

Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary).[2][1]

Another variation of this method, often referred to as Module Stomping/Overloading or DLL Hollowing, may be leveraged to conceal injected code within a process. This method involves loading a legitimate DLL into a remote process then manually overwriting the module's AddressOfEntryPoint before starting a new thread in the target process.[3] This variation allows attackers to hide malicious injected code by potentially backing its execution with a legitimate DLL file on disk.[4]

Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process.

ID: T1055.001
Sub-technique of:  T1055
Platforms: Windows
Permissions Required: User
Defense Bypassed: Anti-virus, Application control
Contributors: Boominathan Sundaram
Version: 1.3
Created: 14 January 2020
Last Modified: 11 August 2023

Procedure Examples

ID Name Description
S0456 Aria-body

Aria-body has the ability to inject itself into another process such as rundll32.exe and dllhost.exe.[5]

G0135 BackdoorDiplomacy

BackdoorDiplomacy has dropped legitimate software onto a compromised host and used it to execute malicious DLLs.[6]

S1081 BADHATCH

BADHATCH has the ability to execute a malicious DLL by injecting into explorer.exe on a compromised machine.[7]

S0089 BlackEnergy

BlackEnergy injects its DLL component into svchost.exe.[8]

S1039 Bumblebee

The Bumblebee loader can support the Dij command which gives it the ability to inject DLLs into the memory of other processes.[9][10]

C0015 C0015

During C0015, the threat actors used a DLL named D8B3.dll that was injected into the Winlogon process.[11]

S0484 Carberp

Carberp's bootkit can inject a malicious DLL into the address space of running processes.[12]

S0335 Carbon

Carbon has a command to inject code into a process.[13]

S0154 Cobalt Strike

Cobalt Strike has the ability to load DLLs via reflective injection.[14][15]

S0126 ComRAT

ComRAT has injected its orchestrator DLL into explorer.exe. ComRAT has also injected its communications module into the victim's default browser to make C2 connections appear less suspicious as all network connections will be initiated by the browser process.[16][17]

S0575 Conti

Conti has loaded an encrypted DLL into memory and then executes it.[18][19]

S1066 DarkTortilla

DarkTortilla can use a .NET-based DLL named RunPe6 for process injection.[20]

S0021 Derusbi

Derusbi injects itself into the secure shell (SSH) process.[21]

S0038 Duqu

Duqu will inject itself into different processes to evade detection. The selection of the target process is influenced by the security software that is installed on the system (Duqu will inject into different processes depending on which security suite is installed on the infected host).[22]

S0024 Dyre

Dyre injects into other processes to load modules.[23]

S0081 Elise

Elise injects DLL files into iexplore.exe.[24][25]

S0082 Emissary

Emissary injects its DLL file into a newly spawned Internet Explorer process.[26]

S0367 Emotet

Emotet has been observed injecting in to Explorer.exe and other processes. [27][28][29]

S0182 FinFisher

FinFisher injects itself into various processes depending on whether it is low integrity or high integrity.[30][31]

S1044 FunnyDream

The FunnyDream FilepakMonitor component can inject into the Bka.exe process using the VirtualAllocEx, WriteProcessMemory and CreateRemoteThread APIs to load the DLL component.[32]

S0666 Gelsemium

Gelsemium has the ability to inject DLLs into specific processes.[33]

S0460 Get2

Get2 has the ability to inject DLLs into processes.[34]

S1027 Heyoka Backdoor

Heyoka Backdoor can inject a DLL into rundll32.exe for execution.[35]

S0135 HIDEDRV

HIDEDRV injects a DLL for Downdelph into the explorer.exe process.[36]

S0581 IronNetInjector

IronNetInjector has the ability to inject a DLL into running processes, including the IronNetInjector DLL into explorer.exe.[37]

S0265 Kazuar

If running in a Windows environment, Kazuar saves a DLL to disk that is injected into the explorer.exe process to execute the payload. Kazuar can also be configured to inject and execute within specific processes.[38]

S0250 Koadic

Koadic can perform process injection by using a reflective DLL.[39]

G0032 Lazarus Group

A Lazarus Group malware sample performs reflective DLL injection.[40][41]

G0065 Leviathan

Leviathan has utilized techniques like reflective DLL loading to write a DLL into memory and load a shell that provides backdoor access to the victim.[42]

S0681 Lizar

Lizar has used the PowerKatz plugin that can be loaded into the address space of a PowerShell process through reflective DLL loading.[43]

S0167 Matryoshka

Matryoshka uses reflective DLL injection to inject the malicious library and execute the RAT.[44]

S0449 Maze

Maze has injected the malware DLL into a target process.[45][46]

S0576 MegaCortex

MegaCortex loads injecthelper.dll into a newly created rundll32.exe process.[47]

S0455 Metamorfo

Metamorfo has injected a malicious DLL into the Windows Media Player process (wmplayer.exe).[48]

S1026 Mongall

Mongall can inject a DLL into rundll32.exe for execution.[35]

S0457 Netwalker

The Netwalker DLL has been injected reflectively into the memory of a legitimate running process.[49]

S0501 PipeMon

PipeMon can inject its modules into various processes using reflective DLL loading.[50]

S0012 PoisonIvy

PoisonIvy can inject a malicious DLL into a process.[51][52]

S0194 PowerSploit

PowerSploit contains a collection of CodeExecution modules that inject code (DLL, shellcode) into a process.[53][54]

S0613 PS1

PS1 can inject its payload DLL Into memory.[55]

S0192 Pupy

Pupy can migrate into another process using reflective DLL injection.[56]

G0024 Putter Panda

An executable dropped onto victims by Putter Panda aims to inject the specified DLL into a process that would normally be accessing the network, including Outlook Express (msinm.exe), Outlook (outlook.exe), Internet Explorer (iexplore.exe), and Firefox (firefox.exe).[57]

S0458 Ramsay

Ramsay can use ImprovedReflectiveDLLInjection to deploy components.[58]

S0055 RARSTONE

After decrypting itself in memory, RARSTONE downloads a DLL file from its C2 server and loads it in the memory space of a hidden Internet Explorer process. This "downloaded" file is actually not dropped onto the system.[59]

S0241 RATANKBA

RATANKBA performs a reflective DLL injection using a given pid.[60][61]

S0125 Remsec

Remsec can perform DLL injection.[62]

S1018 Saint Bot

Saint Bot has injected its DLL component into EhStorAurhn.exe.[63]

S0461 SDBbot

SDBbot has the ability to inject a downloaded DLL into a newly created rundll32.exe process.[34]

S0596 ShadowPad

ShadowPad has injected a DLL into svchost.exe.[64]

S0273 Socksbot

Socksbot creates a suspended svchost process and injects its DLL into it.[65]

S0615 SombRAT

SombRAT can execute loadfromfile, loadfromstorage, and loadfrommem to inject a DLL from disk, storage, or memory respectively.[55]

S0603 Stuxnet

Stuxnet injects an entire DLL into an existing, newly created, or preselected trusted process.[66]

S0018 Sykipot

Sykipot injects itself into running instances of outlook.exe, iexplore.exe, or firefox.exe.[67]

G0092 TA505

TA505 has been seen injecting a DLL into winword.exe.[68]

S0011 Taidoor

Taidoor can perform DLL loading.[69][70]

S0467 TajMahal

TajMahal has the ability to inject DLLs for malicious plugins into running processes.[71]

G0081 Tropic Trooper

Tropic Trooper has injected a DLL backdoor into dllhost.exe and svchost.exe.[72][73]

G0010 Turla

Turla has used Metasploit to perform reflective DLL injection in order to escalate privileges.[74][75]

S0022 Uroburos

Uroburos can use DLL injection to load embedded files and modules.[76]

G0102 Wizard Spider

Wizard Spider has injected malicious DLLs into memory with read, write, and execute permissions.[77][78]

S0412 ZxShell

ZxShell is injected into a shared SVCHOST process.[79]

Mitigations

ID Mitigation Description
M1040 Behavior Prevention on Endpoint

Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.

Detection

ID Data Source Data Component Detects
DS0011 Module Module Load

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. Sysmon Event ID 7 (Image loaded) can be used to monitor the loading of DLLs into processes. This is a particularly noisy event and can generate a large volume of data, so we recommend baselining and filtering out any known benign processes and module loads to help reduce the number of events that are produced.

DS0009 Process OS API Execution

Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.[1]

Search for remote thread creations that start at LoadLibraryA or LoadLibraryW. Depending on the tool, it may provide additional information about the DLL string that is an argument to the function. If there is any security software that legitimately injects DLLs, it must be carefully whitelisted.

Microsoft Windows allows for processes to remotely create threads within other processes of the same privilege level. This functionality is provided via the Windows API CreateRemoteThread. Both Windows and third-party software use this ability for legitimate purposes. For example, the Windows process csrss.exe creates threads in programs to send signals to registered callback routines. Both adversaries and host-based security software use this functionality to inject DLLs, but for very different purposes. An adversary is likely to inject into a program to evade defenses or bypass User Account Control, but a security program might do this to gain increased monitoring of API calls. One of the most common methods of DLL Injection is through the Windows API LoadLibrary.

  • Allocate memory in the target program with VirtualAllocEx
  • Write the name of the DLL to inject into this program with WriteProcessMemory
  • Create a new thread and set its entry point to LoadLibrary using the API CreateRemoteThread.

This behavior can be detected by looking for thread creations across processes, and resolving the entry point to determine the function name. If the function is LoadLibraryA or LoadLibraryW, then the intent of the remote thread is clearly to inject a DLL. When this is the case, the source process must be examined so that it can be ignored when it is both expected and a trusted process.

Analytic 1 - DLL Injection via Load Library

remote_thread = filter (start_function == "LoadLibraryA" or start_function == "LoadLibraryW")remote_thread = filter (src_image_path != "C:\Path\To\TrustedProgram.exe")

Process Access

Monitor for process being viewed that may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges.

Process Metadata

Monitor for process memory inconsistencies compared to DLL files on disk by checking memory ranges against a known copy of the legitimate module.[4]

Process Modification

Monitor for changes made to processes that may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. Injecting a malicious DLL into a process is a common adversary TTP. Although the ways of doing this are numerous, mavinject.exe is a commonly used tool for doing so because it roles up many of the necessary steps into one, and is available within Windows. Attackers may rename the executable, so we also use the common argument "INJECTRUNNING" as a related signature here. Whitelisting certain applications may be necessary to reduce noise for this analytic.

Analytic 1 - DLL Injection with Mavinject

mavinject_processes = filter processes where ( exe = "C:\Windows\SysWOW64\mavinject.exe" OR Image="C:\Windows\System32\mavinject.exe" OR command_line = "/INJECTRUNNING"

References

  1. Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.
  2. Desimone, J. (2017, June 13). Hunting in Memory. Retrieved December 7, 2017.
  3. Red Teaming Experiments. (n.d.). Module Stomping for Shellcode Injection. Retrieved July 14, 2022.
  4. Aliz Hammond. (2019, August 15). Hiding Malicious Code with "Module Stomping": Part 1. Retrieved July 14, 2022.
  5. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
  6. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  7. Savelesky, K., et al. (2019, July 23). ABADBABE 8BADFOOD: Discovering BADHATCH and a Detailed Look at FIN8's Tooling. Retrieved September 8, 2021.
  8. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  9. Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
  10. Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022.
  11. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  12. Matrosov, A., Rodionov, E., Volkov, D., Harley, D. (2012, March 2). Win32/Carberp When You’re in a Black Hole, Stop Digging. Retrieved July 15, 2020.
  13. ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
  14. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021.
  15. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  16. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  17. CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020.
  18. Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021.
  19. Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021.
  20. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
  21. Perigaud, F. (2015, December 15). Newcomers in the Derusbi family. Retrieved December 20, 2017.
  22. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  23. Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.
  24. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  25. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018.
  26. Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
  27. Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.
  28. Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019.
  29. US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019.
  30. FinFisher. (n.d.). Retrieved December 20, 2017.
  31. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  32. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  33. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  34. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  35. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
  36. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  37. Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021.
  38. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  39. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  40. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
  1. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
  2. Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.
  3. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022.
  4. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.
  5. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
  6. Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.
  7. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
  8. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  9. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
  10. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
  11. FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved November 12, 2014.
  12. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  13. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  14. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  15. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  16. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  17. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  18. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  19. Camba, A. (2013, February 27). BKDR_RARSTONE: New RAT to Watch Out For. Retrieved January 8, 2016.
  20. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
  21. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
  22. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  23. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022.
  24. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.
  25. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  26. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22
  27. Blasco, J. (2011, December 12). Another Sykipot sample likely targeting US federal agencies. Retrieved March 28, 2016.
  28. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
  29. Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014.
  30. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.
  31. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  32. Horejsi, J., et al. (2018, March 14). Tropic Trooper’s New Strategy. Retrieved November 9, 2018.
  33. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  34. ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018.
  35. Rapid7. (2013, November 26). meterpreter/source/extensions/priv/server/elevate/. Retrieved July 8, 2018.
  36. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  37. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
  38. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.
  39. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.