Process Injection
October 2, 2024 · View on GitHub
| ID | E1055 |
| Objective(s) | Defense Evasion, Privilege Escalation |
| Related ATT&CK Techniques | Process Injection (T1055, T1631) |
| Version | 2.2 |
| Created | 1 August 2019 |
| Last Modified | 28 April 2024 |
Process Injection
Malware may execute code in the address space of a separate process.
See ATT&CK: Process Injection (T1055, T1631).
The methods table includes existing ATT&CK sub-techniques, which have been enhanced with malware-specific details, as well as new methods. Note that IAT hooking and inline hooking (aka userland rootkits) are defined as methods under the Hijack Execution Flow behavior.
Methods
| Name | ID | Description |
|---|---|---|
| Dynamic-link Library Injection | E1055.001 | (Enhanced ATT&CK sub-technique) Malware creates a thread using CreateRemoteThread (or NtCreateThreadEx, RtlCreateUserThread) and LoadLibrary. The path to the malware's malicious dynamic-link library (DLL) is written in the virtual address space of another process; the malware ensures the remote process loads it by creating a remote thread in the target process. This is one of the most common process injection methods, called Classic DLL Injection via CreateRemoteThread and LoadLibrary in [1]. This method is related to Unprotect technique U1226. |
| Portable Executable Injection | E1055.002 | (Enhanced ATT&CK sub-technique) Malware copies its malicious code into an existing open process and causes it to execute via shellcode or by calling CreateRemoteThread (instead of passing the address of the LoadLibrary), called Portable Executable Injection in [1]. This method is related to Unprotect technique U1216. |
| Thread Execution Hijacking | E1055.003 | (Enhanced ATT&CK sub-technique) Malware targets an existing thread of a process, avoiding noisy process or thread creations operations, called Thread Execution Hijacking in [1]. This method is related to Unprotect technique U1223. |
| Asynchronous Procedure Call | E1055.004 | (Enhanced ATT&CK sub-technique) Malware may leverage Asynchronous Procedure Calls (APC) to force another thread to execute its code by attaching it to the APC Queue of the target thread (using QueueUserAPC / NtQueueApcThread). AtomBombing [1][3], a variant of APC injection, occurs when the attacker stores malicious code in the global atom table. The APC gets the targeted process to retrieve the code that will be injected to the memory of the targeted process. This method is related to Unprotect technique U1221 and U1220. |
| Extra Window Memory Injection | E1055.011 | (Enhanced ATT&CK sub-technique) Malware may inject into Explorer tray window’s extra window memory, called Extra Window Memory Injection in [1]. This method is related to Unprotect technique U1219. |
| Process Hollowing | E1055.012 | (Enhanced ATT&CK sub-technique) Instead of injecting code into a program, malware can upmap (hollow out) legitimate code from memory of a target process, overwriting it with a malicious executable, called Process Hollowing in [1]. This method is related to Unprotect technique U1225. |
| Hook Injection via SetWindowsHooksEx | E1055.m01 | Malware can leverage hooking functionality to have its malicious DLL loaded upon an event getting triggered in a specific thread, which is usually done by calling SetWindowsHookEx to install a hook routine into the hook chain. [1] This method is related to Unprotect technique 1227. |
| Injection and Persistence via Registry Modification | E1055.m02 | Malware may insert the location of its malicious library under a registry key (e.g., Appinit_DLL, AppCertDlls, IFEO) to have another process load its library. [1] |
| Injection via Windows Fibers | E1055.m05 | Malware executes shellcode via Windows fibers by converting a thread to a fiber. [5] |
| Injection using Shims | E1055.m03 | Malware may use shims to target an executable (shims are a way of hooking into APIs and targeting specific executables and are provided by Microsoft for backward compatibility, allowing developers to apply program fixes without rewriting code). [1] This method is related to Unprotect technique U1218. |
| Patch Process Command Line | E1055.m04 | Malware patches the PEB of a process to spoof the arguments. |
Use in Malware
| Name | Date | Method | Description |
|---|---|---|---|
| UP007 | 2016 | E1055.001 | The malware loads multiple DLLs into memory. [4] |
| TrickBot | 2016 | -- | The malware injects itself into svchost.exe. [11] |
| Poison Ivy | 2005 | -- | Poison Ivy code is injected into explorer.exe. [2] |
| WebCobra | 2018 | -- | The malware injects miner code into a running process. [12] |
| CryptoWall | 2014 | -- | The malware injects code into a new svchost process. [6] |
| Hupigon | 2013 | -- | The malware injects itself into processes such as cmd.exe and notepad.exe [7] |
| Hupigon | 2013 | E1055.012 | The malware uses process replacement. [13] |
| BlackEnergy | 2007 | E1055.m05 | BlackEnergy bypasses UAC using a Shim Database instructing SndVol.exe to execute cmd.exe instead, allowing for elevated execution. [8] |
| BlackEnergy | 2007 | -- | BlackEnergy injects its dll component into svchost.exe. [8] |
| Stuxnet | 2010 | E1055.001 | Stuxnet injects the entire DLL into another process and then just calls the particular export. [9] |
| Stuxnet | 2010 | E1055.m02 | Stuxnet uses Mrxcls.sys driver for persistence. It is registered as a boot start service by creating the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCIs"ImagePath" = "%System%\drivers\mrxcls.sys". [9] |
| Netwalker | 2020 | E1055.001 | Netwalker uses reflective DLL loading to inject from memory. [10] |
| DNSChanger | 2011 | -- | The malware can attach user process memory. [13] |
| Redhip | 2011 | E1055.003 | The malware can inject threads. [13] |
| Conti | 2019 | E1055.012 | Conti creates a process in a suspended state and unmaps or removes the PE image layout from a given process space. |
Detection
| Tool: capa | Mapping | APIs |
|---|---|---|
| patch process command line | Process Injection::Patch Process Command Line (E1055.m04) | VirtualProtect, GetProcAddress, ReadProcessMemory |
| attach user process memory | Process Injection (E1055) | ntoskrnl.KeStackAttachProcess, ntoskrnl.KeUnstackDetachProcess |
| inject shellcode using extra window memory | Process Injection (E1055) | SetWindowLong, SetWindowLongPtr, PostMessage, SendNotifyMessage |
| inject shellcode using a file mapping object | Process Injection (E1055) | CreateFileMapping, MapViewOfFile, MapViewOfFileNuma2 |
| inject shellcode using window subclass procedure | Process Injection (E1055) | user32.SetProp, PostMessage, SendNotifyMessage |
| execute shellcode via Windows fibers | Process Injection::Injection via Windows Fibers (E1055.m05) | ConvertThreadToFiber, CreateFiber, SwitchToFiber |
| Tool: CAPE | Mapping | APIs |
|---|---|---|
| volatility_handles_1 | Process Injection (E1055) | -- |
| volatility_ldrmodules_1 | Process Injection (E1055) | -- |
| volatility_ldrmodules_2 | Process Injection (E1055) | -- |
| volatility_malfind_1 | Process Injection (E1055) | -- |
| volatility_malfind_2 | Process Injection (E1055) | -- |
| volatility_modscan_1 | Process Injection (E1055) | -- |
| injection_explorer | Process Injection (E1055) | NtReadVirtualMemory, NtWow64ReadVirtualMemory64, NtOpenProcess, FindWindowExA, SendNotifyMessageW, SendNotifyMessageA, NtCreateSection, SetWindowLongA, SetWindowLongW, FindWindowA, FindWindowW, FindWindowExW, ReadProcessMemory, SetWindowLongPtrA, NtOpenSection, SetWindowLongPtrW |
| injection_themeinitapihook | Process Injection (E1055) | ThemeInitApiHook |
| explorer_http | Process Injection (E1055) | WinHttpConnect, WinHttpOpenRequest |
| injection_createremotethread | Process Injection (E1055) | -- |
| doppelganging | Process Injection (E1055) | -- |
| injection_inter_process | Process Injection (E1055) | -- |
| injection_create_remote_thread | Process Injection (E1055) | -- |
| injection_process_hollowing | Process Injection (E1055) | -- |
| transacted_hollowing | Process Injection (E1055) | NtRollbackTransaction, NtMapViewOfSection, RtlSetCurrentTransaction |
| persistence_ifeo | Process Injection (E1055) | -- |
| persistence_ifeo | Process Injection::Injection and Persistence via Registry Modification (E1055.m02) | -- |
| persistence_silent_process_exit | Process Injection (E1055) | -- |
| injection_rwx | Process Injection (E1055) | VirtualProtectEx, NtAllocateVirtualMemory, NtProtectVirtualMemory |
| persistence_shim_database | Process Injection::Injection using Shims (E1055.m03) | -- |
| injection_runpe | Process Injection (E1055) | -- |
References
[1] Ashkan Hosseini, Ten Process Injection Techniques: A Technical Survey of Common and Trending Process Injection Techniques, July 2017. https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
[2] https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf
[3] https://github.com/LordNoteworthy/al-khaser
[4] https://citizenlab.ca/2016/04/between-hong-kong-and-burma/
[5] https://www.ired.team/offensive-security/code-injection-process-injection/executing-shellcode-with-createfiber
[6] https://news.sophos.com/en-us/2015/12/17/the-current-state-of-ransomware-cryptowall/
[7] https://www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml
[8] https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf
[9] https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en
[10] https://www.trendmicro.com/en_us/research/20/e/netwalker-fileless-ransomware-injected-via-reflective-loading.html
[11] https://www.cybereason.com/blog/research/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
[12] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/
[13] capa v4.0, analyzed at MITRE on 10/12/2022