|Tactic||Defense Evasion, Privilege Escalation|
|Platform||Linux, macOS, Windows|
|Permissions Required||User, Administrator, SYSTEM, root|
|Effective Permissions||User, Administrator, SYSTEM, root|
|Data Sources||API monitoring, DLL monitoring, File monitoring, Named Pipes, Process Monitoring, Windows Registry|
|Defense Bypassed||Process whitelisting, Anti-virus|
Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
There are multiple approaches to injecting code into a live process. Windows implementations include:1
- Dynamic-link library (DLL) injection involves writing the path to a malicious DLL inside a process then invoking execution by creating a remote thread.
- Portable executable injection involves writing malicious code directly into the process (without a file on disk) then invoking execution with either additional code or by creating a remote thread. The displacement of the injected code introduces the additional requirement for functionality to remap memory references. Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue.2
- Thread execution hijacking involves injecting malicious code or the path to a DLL into a thread of a process. Similar to Process Hollowing, the thread must first be suspended.
- Asynchronous Procedure Call (APC) injection involves attaching malicious code to the APC Queue3 of a process's thread. Queued APC functions are executed when the thread enters an alterable state. AtomBombing 4 is a variation that utilizes APCs to invoke malicious code previously written to the global atom table.5
- Thread Local Storage (TLS) callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point.6
Mac and Linux
- LD_PRELOAD, LD_LIBRARY_PATH (Linux), DYLD_INSERT_LIBRARIES (Mac OS X) environment variables, or the dlfcn application programming interface (API) can be used to dynamically load a library (shared object) in a process which can be used to intercept API calls from the running process.9
- Ptrace system calls can be used to attach to a running process and modify it in runtime.8
- /proc/[pid]/mem provides access to the memory of the process and can be used to read/write arbitrary data to it. This technique is very rare due to its complexity.8
- VDSO hijacking performs runtime injection on ELF binaries by manipulating code stubs mapped in from the linux-vdso.so shared object.10
Malware commonly utilizes process injection to access system resources through which Persistence and other environment modifications can be made. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.
- An executable dropped onto victims by Putter Panda aims to inject the specified DLL into a process that would normally be accessing the network, including Outlook Express (msinm.exe), Outlook (outlook.exe), Internet Explorer (iexplore.exe), and Firefox (firefox.exe).11
- Backdoor.Oldrea injects itself into explorer.exe.12
- BlackEnergy injects its DLL component into svchost.exe.13
- Cobalt Strike can inject a variety of payloads into processes dynamically chosen by the adversary.14
- Derusbi injects itself into the secure shell (SSH) process.15
- Duqu will inject itself into different processes to evade detection. The selection of the target process is influenced by the security software that is installed on the system (Duqu will inject into different processes depending on which security suite is installed on the infected host).16
- Elise injects DLL files into iexplore.exe.17
- Emissary injects its DLL file into a newly spawned Internet Explorer process.18
- Gazer performs thread execution hijacking to inject its orchestrator into a running thread from a remote process. Gazer performs a separate injection of its communication module into an Internet accessible process through which it performs C2.1920
- HIDEDRV injects a DLL for Downdelph into the explorer.exe process.21
- JHUHUGIT performs code injection injecting its own functions to browser processes.22
- Matroyshka uses reflective DLL injection to inject the malicious library and execute the RAT.23
- PoisonIvy can load DLLs.24
- After decrypting itself in memory, RARSTONE downloads a DLL file from its C2 server and loads it in the memory space of a hidden Internet Explorer process. This “downloaded” file is actually not dropped onto the system.25
- Remsec can perform DLL injection.26
- Sykipot injects itself into running instances of outlook.exe, iexplore.exe, or firefox.exe.27
- Taidoor can perform DLL loading.28
- Wingbird performs multiple process injections to hijack system processes and execute malicious code.29
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific Windows API calls will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior.30
Identify or block potentially malicious software that may contain process injection functionality by using whitelisting31 tools, like AppLocker,3233 or Software Restriction Policies34 where appropriate.35
Utilize Yama 36 to mitigate ptrace based process injection by restricting the use of ptrace to privileged users only. Other mitigation controls involve the deployment of security kernel modules that provide advanced access control and process restrictions such as SELinux 37, grsecurity 38, and AppAmour 39.
Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC, and those that can be used to modify memory within another process, such as WriteProcessMemory, may be used for this technique.1
Monitoring for Linux specific calls such as the ptrace system call, the use of LD_PRELOAD environment variable, or dlfcn dynamic linking API calls, should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods. 40 41 42 43
Monitor for named pipe creation and connection events (Event IDs 17 and 18) for possible indicators of infected processes with external modules.44
Monitor processes and command-line arguments for actions that could be done before or after code injection has occurred and correlate the information with related event information. Code injection may also be performed using PowerShell with tools such as PowerSploit,45 so additional PowerShell monitoring may be required to cover known implementations of this behavior.
- Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.
- Desimone, J. (2017, June 13). Hunting in Memory. Retrieved December 7, 2017.
- Microsoft. (n.d.). Asynchronous Procedure Calls. Retrieved December 8, 2017.
- Liberman, T. (2016, October 27). ATOMBOMBING: BRAND NEW CODE INJECTION FOR WINDOWS. Retrieved December 8, 2017.
- Microsoft. (n.d.). About Atom Tables. Retrieved December 8, 2017.
- Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved December 18, 2017.
- Turner-Trauring, I. (2017, April 18). “This will only hurt for a moment”: code injection on Linux and macOS with LD_PRELOAD. Retrieved December 20, 2017.
- skape. (2003, January 19). Linux x86 run-time process manipulation. Retrieved December 20, 2017.
- halflife. (1997, September 1). Shared Library Redirection Techniques. Retrieved December 20, 2017.
- O'Neill, R. (2009, May). Modern Day ELF Runtime infection via GOT poisoning. Retrieved December 20, 2017.
- Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
- Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
- F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
- Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
- Perigaud, F. (2015, December 15). Newcomers in the Derusbi family. Retrieved December 20, 2017.
- Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
- Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
- Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
- ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
- Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
- ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
- F-Secure. (2015, September 8). Sofacy Recycles Carberp and Metasploit Code. Retrieved August 3, 2016.
- Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.
- FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved November 12, 2014.
- Camba, A. (2013, February 27). BKDR_RARSTONE: New RAT to Watch Out For. Retrieved January 8, 2016.
- Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
- Blasco, J. (2011, December 12). Another Sykipot sample likely targeting US federal agencies. Retrieved March 28, 2016.
- Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014.
- Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.
- McNamara, R. (2017, September 5). Linux Based Inter-Process Code Injection Without Ptrace(2). Retrieved December 20, 2017.
- Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
- Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
- NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
- Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
- Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.
- Linux Kernel Archives. (n.d.). Yama Documentation - ptrace_scope. Retrieved December 20, 2017.
- SELinux Project. (2017, November 30). SELinux Project Wiki. Retrieved December 20, 2017.
- grsecurity. (2017, December 12). What is grsecurity?. Retrieved December 20, 2017.
- AppArmor. (2017, October 19). AppArmor Security Project Wiki. Retrieved December 20, 2017.
- Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved December 20, 2017.
- GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved December 20, 2017.
- Jahoda, M. et al.. (2017, March 14). redhat Security Guide - Chapter 7 - System Auditing. Retrieved December 20, 2017.
- stderr. (2014, February 14). Detecting Userland Preload Rootkits. Retrieved December 20, 2017.
- Russinovich, M. & Garnier, T. (2017, May 22). Sysmon v6.20. Retrieved December 13, 2017.
- PowerSploit. (n.d.). Retrieved December 4, 2014.