June 24, 2020 Detection and response

Process Injection: a primer

Experts from Red Canary, VMware Carbon Black, MITRE ATT&CK, and Microsoft break down the many facets of the Process Injection technique.

Red Canary’s 2020 Threat Detection Report ranked Process Injection (T1055) as the most prevalent ATT&CK technique to watch this year. As part of our ATT&CK Deep Dive series, Red Canary’s Director of Threat Research Matt Graeber moderated a webinar on this technique with Erika Noerenberg from VMware Carbon Black, Adam Pennington from MITRE, and David Kaplan from Microsoft. You can watch the full recording here or check out the highlight clips below.

What is Process Injection and why is it so popular?

You can find MITRE’s official definition here, but Adam Pennington puts it simply: “Process injection is a way of running arbitrary code in another process’s memory space.” Thus, attackers can execute malicious activity under the guise of a legitimate process. Process Injection is essentially the hacker version of polyjuice potion from Harry Potter.*

process injection webinar

*You may be asking yourself: “Wait, wouldn’t Masquerading (T1036) be the ATT&CK technique closest to polyjuice potion?” We consulted Red Canary’s foremost Harry Potter nerd, Susannah Clark, who confirmed: “In order to disguise its user, polyjuice potion must be ingested (i.e., injected). Masquerading would just be straight up Transfiguration.”

Anyway.

Adversaries can leverage Process Injection to achieve the following:

  • Execute arbitrary code
  • Evade suspicions/defensive controls
  • Elevate privileges
  • Steal in-memory secrets

Process Injection accounted for 17 percent of all the threats Red Canary analyzed in 2019, affecting 35 percent of customer organizations. The prevalence of Process Injection in our dataset is partially due to its breadth as a technique. In fact, it’s so broad that MITRE will be splitting the technique into 11 sub-techniques in an upcoming release of ATT&CK later this summer:

 

ATT&CK IDProcess Injection sub-technique
ATT&CK ID:

T1055.001

Process Injection sub-technique :

Dynamic-link Library Injection

ATT&CK ID:

T1055.002

Process Injection sub-technique :

Portable Executable Injection

ATT&CK ID:

T1055.003

Process Injection sub-technique :

Thread Execution Hijacking

ATT&CK ID:

T1055.004

Process Injection sub-technique :

Asynchronous Procedure Call

ATT&CK ID:

T1055.005

Process Injection sub-technique :

Thread Local Storage

ATT&CK ID:

T1055.008

Process Injection sub-technique :

Ptrace System Calls

ATT&CK ID:

T1055.009

Process Injection sub-technique :

Proc Memory

ATT&CK ID:

T1055.011

Process Injection sub-technique :

Extra Window Memory Injection

ATT&CK ID:

T1055.012

Process Injection sub-technique :

Process Hollowing

ATT&CK ID:

T1055.013

Process Injection sub-technique :

Process Doppelgänging

ATT&CK ID:

T1055.014

Process Injection sub-technique :

VDSO Hijacking

11 sub-techniques is a lot. Where do I begin with detecting Process Injection?

Our webinar hosts have you covered for three of the most common Process Injection sub-techniques: Portable Executable Injection (T1055.002), Thread Local Storage (T1055.005) and Process Hollowing (T1055.012).

Matt Graeber kicks us off with Portable Executable Injection, using the Ramnit trojan as an illustrative example:

 

 

Here’s Erika Noerenberg on Thread Local Storage, citing Ursnif:

 

David Kaplan walks us through Process Hollowing, highlighting TrickBot:

 

What about Mac and Linux?

Erika Noerenberg explains that we rarely run into Process Injection on Mac systems because Apple requires notarization with app-hardening. Adversaries can still inject into third-party apps though. As for Linux, Adam Pennington breaks down three relevant sub-techniques to look out for.

How do I mitigate Process Injection?

Matt Graeber reminds us that is there is no encompassing mitigation against all forms of Process Injection. But depending on your specific system, you have plenty of options:

How does Red Canary MDR detect Process Injection?

Watch this demo of how Red Canary’s Managed Detection and Response solution detects Process Injection, and get in touch if you’d like to see more.

Got more questions? Let us know!

Send us an email or drop us a line on Twitter. We’ll be posting more technical content on Process Injection later this summer.

 

Keeping tabs on Blue Mockingbird

 

Exploring the 3 phases of incident response

 

Detecting COR_PROFILER manipulation for persistence

 

Introducing Blue Mockingbird

Subscribe to our blog