Analysis
Process Injection rose to the top of our rankings due to widespread TrickBot and Emotet outbreaks in late 2018 that continued through 2019.
Why do adversaries use Process Injection?
Process Injection tops our list as the most common ATT&CK technique across our customer base due to a very specific threat: TrickBot. However, the technique is actually quite versatile, facilitating a range of actions as broad as nearly any other ATT&CK technique. Categorized under both Defense Evasion and Privilege Escalation, Process Injection is arguably an Execution technique as well.
Process Injection is a technique whereby an adversary is able to carry out some nefarious activity in the context of a legitimate process. In this way, malicious activity—whether it’s an overtly malicious binary or a process that’s been co-opted as such—blends in with routine operating system processes.
Stealth, however, is just one of the benefits of Process Injection. Its most useful function may be that arbitrary code, once injected into a legitimate process, can inherit the privileges of that process or, similarly, access parts of the operating system that shouldn’t be otherwise available.
Threat Volume
How do adversaries use Process Injection?
In the environments we monitor, the vast majority of Process Injection activity results from TrickBot infections. Specifically, TrickBot launches svchost.exe and then uses Process Injection to carry out malicious activity.
Some other common variations of Process Injection include:
- Remotely injecting code libraries into running processes
- Using seemingly benign processes such as notepad.exe to make external network connections and later injecting code that performs malicious actions
- Leveraging Microsoft Office applications to create RemoteThread injections into dllhost.exe for the purposes of conducting attacks with malicious macros
- Cross-process injection initiated by lsass.exe into taskhost.exe
- Metasploit injecting itself into processes such as svchost.exe to avoid suspicion and increase stability
- Injecting code into a browser process to enable snooping on a user’s browsing session, which is a common characteristic of banking and other credential-stealing trojans
In addition to TrickBot, we have also seen the following malware families carry out Process Injection:
- PlugX
- Dridex
- Emotet
- AgentTesla
- Hancitor
- Ursnif/Dreambot
Sighted with
We most commonly see Process Injection occurring in tandem with Scheduled Tasks (T1053) across our customer base because TrickBot sometimes uses Scheduled Tasks for persistence.
We also often see Process Injection paired with Remote File Copy (T1105) and Windows Admin Shares (T1077). Code injected into TrickBot downloads additional libraries for execution, explaining its occurrence with Remote File Copy, while TrickBot and common follow-on trojan Emotet use Windows Admin Shares to move laterally on an infected network.
Far less often we see Process Injection alongside Uncommonly Used Port (T1509)—likely because code injected by TrickBot may communicate on tcp/447 and tcp/449 for command and control—and Mshta (T1170). The latter is the result of newer .NET exploitation tools such as DotNetToJScript and CACTUSTORCH that allow attackers to inject code from HTML Applications.
Customers Affected
Definition
Detection
MITRE’s data sources
- API monitoring
- Windows Registry
- File monitoring
- DLL monitoring
- Process monitoring
- Named Pipes
Collection requirements
Process monitoring
Process monitoring is a minimum requirement for reliably detecting Process Injection. Even though injection can be invisible to some forms of process monitoring, the effects of the injection can become harder to miss once you compare process behaviors against expected functionality.
API monitoring
If possible, monitor API system calls that include CreateRemoteThread in Windows. This will indicate a process is using the Windows API to inject code into another process. Security teams should monitor for the ptrace system calls on Linux as well.
Detection suggestions
The detection of Process Injection involves hunting for legitimate processes doing unexpected things. This may involve processes making external network connections and writing files, or it may involve processes spawning with unexpected command-line arguments.
Some good examples of odd behavior within a process include:
- Svchost.exe making network connections on tcp/447 and tcp/449
- Notepad.exe making external network connections
- Mshta.exe calling CreateRemoteThread to inject code
Some good examples of odd paths or command lines that may indicate injection:
- Rundll32.exe, regasm.exe, regsvr32.exe, regsvcs.exe, svchost.exe, and werfault.exe process executions without command-line options may indicate they are targets of process injection.
- Microsoft processes such as vbc.exe with command lines including
/scomma,/shtml, or/stextmay indicate the injection of Nirsoft tools for credential access - Linux processes with
memfd:in their path indicate they were spawned from code injected into another process.
Specific to TrickBot, we have two behavioral analytics that look for untrusted processes launching svchost.exe. Collectively, these two analytics—on their own and in tandem—uncovered more than 4,200 confirmed threats. A third analytic looks for a mix of svchost.exe injection and network connections. It converted into a confirmed threat nearly 2,500 times.
In addition, adversaries may modify some files or environment variables on macOS and Linux systems to signal intent for Process Injection:
- On macOS, modifying the
DYLD_INSERT_LIBRARIESenvironment variable may allow injection. - On Linux systems, modifying the
/etc/ld.so.preloadfile or the environment variablesLD_PRELOADorLD_LIBRARY_PATHmay allow injection.
Weeding out false positives
The analytics that produced the most false positives came from looking for CreateRemoteThread calls from any and all processes. Many tools in Windows use Process Injection legitimately for debugging and virtualization. If you want to write analytics around this API call, focus them on unusual source processes, such as Microsoft Office products and tools that commonly deliver first-stage malware like scripts and Mshta.
Testing
Start testing your defenses against Process Injection using Atomic Red Team—an open source testing framework of small, highly portable detection tests mapped to MITRE ATT&CK.
Getting started
View Atomic tests for T1055: Process Injection. In most environments, these should be sufficient to generate a useful signal for defenders.
Run this test on a Windows system using PowerShell:
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/src/x64/T1055.dll" -OutFile "$env:TEMP\T1055.dll"
$mypid = (get-process spoolsv).id
mavinject $mypid /INJECTRUNNING $env:\TEMP\T1055.dllUseful telemetry will include:
| Data source | Telemetry |
|---|---|
| Data source: Process monitoring | Telemetry: powershell.exe, mavinject.exe |
| Data source: DLL monitoring | Telemetry: T1055.dll |
| Data source: API monitoring | Telemetry: VirtualAllocEx, WriteProcessMemory, CreateRemoteThread |
Review and repeat
Now that you have executed one or several common tests and checked for the expected results, it’s useful to answer some immediate questions:
- Were any of your actions detected?
- Were any of your actions blocked or prevented
- Were your actions visible in logs or other defensive telemetry?
Repeat this process, performing additional tests related to this technique. You can also create and contribute tests of your own.