This article originally appeared on the VMware Carbon Black blog. The 2020 Threat Detection Report is now available in full.
Do you have any insight as to why Process Injection continues to grow in prevalence? Any advice for detecting it?
Process injection is leveraged by malware in order to run malicious code under the address space of a legitimate and often whitelisted running process. This provides a layer of stealth to the activity and often allows for bypassing of endpoint security controls, such as Anti Virus, Endpoint Detection and Response, host-based firewalls, and more.
Process injection also allows the malware to access the running process’s memory and system resources, which can result in the theft of credentials and eventual privilege escalation depending on the target process. One of the most well-known malware families leveraging this technique across 2019 is Emotet, which utilizes process injection to run arbitrary code through the Windows Service Host (svchost.exe) and often drops a variant of Trickbot. Process injection is extremely versatile and can be accomplished in a number of ways, depending on the goal of the attack.
It’s key to understand the various process injection techniques (such as DLL injection, thread execution hijacking, portable executable (PE) injection, etc.) and ensure that your endpoint security solution can gain visibility into the details of running processes and block these types of behaviors.
I love the way Red Canary breaks down their vast data set into easily understandable metrics like this. I’m not surprised that process injection continues to grow in prevalence. As mentioned in Red Canary’s blog, 2019 was the year of Trickbot / Emotet malware combo. You can directly correlate these large-scale, persistent Trickbot/Emotet campaigns to the increase in observed process injection techniques in 2019. Both Trickbot and Emotet payloads are typically delivered via PE executables that are heavily obfuscated.
These follow-on payloads are very effective at evading many popular anti-virus technologies. Once these PEs are executed, you can almost guarantee they will leverage a common process injection technique like DLL injection, PE injection, or Process Hollowing. These process injection techniques allow the malware to live in other processes to evade detections and escalate privileges.
Were there any findings in the report that surprised you? If so, explain.
The significant increase in wormable malware observed in 2019 was indeed interesting, though I wouldn’t say that anything found in the report is particularly surprising, as Red Canary’s findings are in line with what we have observed over the past year as well.
The techniques being leveraged are not new. Many were released in 2017, like the now-infamous SMB exploit, EternalBlue. What we’re seeing today is malware that has fully integrated these exploits into their malware kits and extended them to be more wide-reaching and impactful in addition to relying more on standard credential extraction through keylogging, credential prompts, and dumping process memory.
All of this aids the malware in automating lateral movement within an organization, as well as worming across the internet as a whole. This is especially true when we look at modern wipers, which in some cases are simply reverse-engineered and modified ransomware variants. When the goal is simply to cause as much damage as quickly as possible, the more quickly and easily the malware can spread, the more consequential the impact will be.
The findings in the report are consistent with the larger industry trends. Companies are still struggling with proactive security measures. Hardening systems and network configurations with industry-accepted best practices goes a long way in containing and preventing threats like Trickbot/Emotet.
Where should someone completely new to MITRE ATT&CK begin? What data sources should a newbie prioritize during collection?
The MITRE ATT&CK framework can be overwhelming. There is a ton of great information contained within, but it can be difficult to understand how to begin to get a handle on implementing defenses within an organization. A majority of the MITRE ATT&CK techniques involve detailed process analytics, so a key focus area should be ensuring deep visibility in behavioral analysis in regards to processes, while also ensuring that base malware prevention is in place and working properly.
Leveling this up by blocking based on correlated process activity should be the next focal point and, from there, working towards correlated analytics and prevention across the remainder of the environment. While process activity is critical, don’t overlook core security controls such as firewalls, network segmentation, network data capture, intrusion prevention, logging, and correlated analytics across the environment as a whole.
If you are new to MITRE ATT&CK, I would recommend reading up on general threat intelligence and threat hunting principles. Having a good foundation in those two areas will help in understanding why ATT&CK was created and will put you on a path to leveraging the knowledge base within ATT&CK to your advantage. It’s important to take an inventory of what data sources you are working with and how those map to the specific ATT&CK techniques you are interested in researching. The most common source to use when researching MITRE ATT&CK techniques is process and cmdline relationship data.