MITRE ATT&CK spotlight: Process injection
It is no longer a surprise to discover that attackers have changed their attack methodologies and continue to improve the sophistication of their Tactics, Techniques and Procedures (“TTPs”) in a bid to continuously compromise their target. This is because organizations are continuously implementing security controls and leveraging advisories provided by both proprietary and community-driven establishments to improve their security posture.
One of these community-driven efforts is the MITRE ATT&CK Framework, which provides a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK in MITRE ATT&CK stands for Adversarial Tactics, Techniques and Common Knowledge.
In the following sections, we will take a look at process injections: what they are, how attackers leverage process injections in compromising their targets, some of the tools attackers (including ethical hackers) leverage to perform process injections and some countermeasures to detect and prevent process injections.
However, it is important to note that techniques identified in the matrix can be carried out in various ways. As we have seen over the years, attackers are becoming more sophisticated in their approach; hence, blocking a form of technique does not mean your environment is no longer vulnerable to that technique.
Process injection
This technique involves the execution of malicious code and injecting the same into another running valid process, thereby causing the process to execute the code while preventing suspicion and evading detection. This allows the malicious code to run using the process's memory, resources and elevated privileges. In addition, it allows the code to potentially evade suspicion from security solutions such as host-based firewalls, antivirus, EDRs and so on, as the code is running under a valid process.
Nowadays, there are various methods utilized by attackers and malwares to perform process injection techniques . The following describes some of these techniques.
- Classic DLL injection: In this method, the malware creates a DLL on the disk and links its path string in the virtual address space of the target process, thus ensuring the process executes it. The DLL then inherits the same access to all objects and resources as the target process. In addition, since the malware creates a DLL on the disk, it makes it susceptible to being detected by security products
- Process hollowing: In this method, the malware spawns a new instance of the target process by overwriting the memory space of the target process and replacing it with the malicious code. This technique is known as process hollowing and makes the malware stealthier than the classic DLL injection, as it feels like a valid process
- Portable executable (“PE”) injection: In this method, the malware copies its malicious code into the virtual address space of the target process and causes it to execute via a shellcode or the CreateRemoteThread function. The malware allocates memory in the target process and loads its malicious code into it instead of linking its path string, as in the case of classic DLL injection. In addition, this means the target process is running two (2) different codes (the legitimate process and the malware) via it and relies on Windows APIs
Real-world examples of process injections in action
DoublePulsar
An analysis of the kernel mode payload of the famous DoublePulsar code by F-Secure revealed that it utilizes a form of DLL injection to load a DLL into a target process (in this case, lsass.exe) using an Asynchronous Procedure Call (APC). It did not utilize the standard Windows API commands such as LoadLibrary and did not write the DLL to disk, making it stealthier.
Cobalt Strike
Cobalt Strike is a penetration testing software that was designed to execute targeted attacks and emulate post-exploitations actions of advanced threat actors through a listener called a beacon.
Cobalt Strike commands such as keylogger, screenshot and so on were designed to be injected into another process for it to work. The listener is injected into a specific process (a personal favorite is explorer.exe because the process is always running in a GUI environment) and the keystroke logger will monitor all keystrokes via the infected process. It then reports them to the beacon console without writing to disk. This only stops when the process terminates or the keystroke logger job is terminated by the user.
Lazarus Group
The Lazarus Group (also known as “Hidden Cobra”) is a threat group headquartered in North Korea whose malicious activities span across multiple years, as far back as 2009. Since 2016, the group has been conducting "FASTCash” attacks — stealing money from ATMs from target banks in Africa and Asia. The target bank's network is compromised and a malware known as Trojan.Fashcash is deployed on the network.
An analysis of the malware reveals that malicious Advanced Interactive eXecutive ("AIX") executable files are injected into legitimate processes on the payment application servers used in handling ATM transactions. The executable allows the group to monitor, intercept and generate responses to fraudulent transaction requests using fake ISO 8583 (standard used for financial transaction messaging) messages. This allows attempts to withdraw cash via an ATM to be successful.
APT41
APT41 is a threat group headquartered in China and known for carrying out Chinese state-sponsored espionage campaigns dating as far back as 2012.
The group is known for its software supply chain attacks, where TTPs developed from accessing video game production environments are utilized. These TTPs are used to compromise software companies and malicious codes are injected into software updates distributed to victim organizations.
WINTERLOVE is a backdoor used by the group to load and execute remote code in a running process (e.g., iexplorer.exe) and can be used to enumerate system files and directories.
Mitigation/prevention
DLL injection is not necessarily a bad technique as many applications use it for legitimate purposes such as your Antivirus/Endpoint Detection and Response (“EDR”)7 solutions which inject their own codes/agents into running processes in order to monitor the process and detect abnormal activities. Therefore, making it hard to detect especially since it runs under a legitimate process.
Behavior analysis
This method can be achieved by configuring your EDRs to detect cross-process events such as injection of code into a running process, duplicate processes running, remote threads and so on.
EDRs work by gathering, monitoring and analyzing endpoint activities/events. This gives the security team the necessary visibility to carry out further analysis, detection, investigation and mitigation into advanced cyber threats across all endpoints running an EDR.
As part of their response capabilities, EDRs can be configured to block certain types of process injection, depending on the behavior that occurs during the injection process.
Continuous monitoring
Log! Log! Log!
Logs are critical in understanding what’s going in your environment. It is therefore not only important that you collect logs from various critical components of your infrastructure, but also that you collect the right kind of logs.
A security product that aids in log collection and correlation is a Security Information and Event Management (“SIEM”) tool. It aggregates logs from various sources, analyzes the logs to discover trends, behaviors, attack patterns, threats, security incidents and useful insights for organizations. If properly configured with organization specific use cases, this SIEM platform can then be leveraged to obtain actionable intel to detect anomalies such as process injections and ultimately improve the security posture of your organization.
Sources
- Process Injection, MITRE
- ATT&CK 101, Medium
- Ten process injection techniques: A technical survey of common and trending process injection techniques, elastic.co
- Detecting stealthier cross-process injection techniques with Windows Defender ATP: Process hollowing and atom bombing, Microsoft
- Analyzing the DOUBLEPULSAR Kernel DLL Injection Technique, F-Secure
- Beacon, Cobalt Strike
- Named: Endpoint Threat Detection & Response, Gartner
- Alert (TA18-275A), CISA
- APT41, FireEye