Red Canary’s 2020 Threat Detection Report ranked Process Injection (T1055) as the most prevalent ATT&CK technique to watch this year. As part of our ATT&CK Deep Dive series, Red Canary’s Director of Threat Research Matt Graeber moderated a webinar on this technique with Erika Noerenberg from VMware Carbon Black, Adam Pennington from MITRE, and David Kaplan from Microsoft. You can watch the full recording here or check out the highlight clips below.
What is Process Injection and why is it so popular?
You can find MITRE’s official definition here, but Adam Pennington puts it simply: “Process injection is a way of running arbitrary code in another process’s memory space.” Thus, attackers can execute malicious activity under the guise of a legitimate process. Process Injection is essentially the hacker version of polyjuice potion from Harry Potter.*
*You may be asking yourself: “Wait, wouldn’t Masquerading (T1036) be the ATT&CK technique closest to polyjuice potion?” We consulted Red Canary’s foremost Harry Potter nerd, Susannah Clark, who confirmed: “In order to disguise its user, polyjuice potion must be ingested (i.e., injected). Masquerading would just be straight up Transfiguration.”
Anyway.
Adversaries can leverage Process Injection to achieve the following:
- Execute arbitrary code
- Evade suspicions/defensive controls
- Elevate privileges
- Steal in-memory secrets
Process Injection accounted for 17 percent of all the threats Red Canary analyzed in 2019, affecting 35 percent of customer organizations. The prevalence of Process Injection in our dataset is partially due to its breadth as a technique. In fact, it’s so broad that MITRE will be splitting the technique into 11 sub-techniques in an upcoming release of ATT&CK later this summer:
| ATT&CK ID | Process Injection sub-technique |
|---|---|
| ATT&CK ID: T1055.001 | Process Injection sub-technique : Dynamic-link Library Injection |
| ATT&CK ID: T1055.002 | Process Injection sub-technique : Portable Executable Injection |
| ATT&CK ID: T1055.003 | Process Injection sub-technique : Thread Execution Hijacking |
| ATT&CK ID: T1055.004 | Process Injection sub-technique : Asynchronous Procedure Call |
| ATT&CK ID: T1055.005 | Process Injection sub-technique : Thread Local Storage |
| ATT&CK ID: T1055.008 | Process Injection sub-technique : Ptrace System Calls |
| ATT&CK ID: T1055.009 | Process Injection sub-technique : Proc Memory |
| ATT&CK ID: T1055.011 | Process Injection sub-technique : Extra Window Memory Injection |
| ATT&CK ID: T1055.012 | Process Injection sub-technique : Process Hollowing |
| ATT&CK ID: T1055.013 | Process Injection sub-technique : Process Doppelgänging |
| ATT&CK ID: T1055.014 | Process Injection sub-technique : VDSO Hijacking |
11 sub-techniques is a lot. Where do I begin with detecting Process Injection?
Our webinar hosts have you covered for three of the most common Process Injection sub-techniques: Portable Executable Injection (T1055.002), Thread Local Storage (T1055.005) and Process Hollowing (T1055.012).
webinar highlights
Matt Graeber kicks us off with Portable Executable Injection, using the Ramnit trojan as an illustrative example:
Here’s Erika Noerenberg on Thread Local Storage, citing Ursnif:
David Kaplan walks us through Process Hollowing, highlighting TrickBot:
What about Mac and Linux?
Erika Noerenberg explains that we rarely run into Process Injection on Mac systems because Apple requires notarization with app-hardening. Adversaries can still inject into third-party apps though. As for Linux, Adam Pennington breaks down three relevant sub-techniques to look out for.
How do I mitigate Process Injection?
Matt Graeber reminds us that is there is no encompassing mitigation against all forms of Process Injection. But depending on your specific system, you have plenty of options:
How does Red Canary MDR detect Process Injection?
Watch this demo of how Red Canary’s Managed Detection and Response solution detects Process Injection, and get in touch if you’d like to see more.
Got more questions? Let us know!
Send us an email or drop us a line on Twitter. We’ll be posting more technical content on Process Injection later this summer.
Test for Process Injection with Atomic Red Team
Related Articles
The dark side of Microsoft Remote Procedure Call protocols
Research ATT&CK techniques from the comfort of your VSCode editor