MITRE’s data sources
- API monitoring
- Windows Registry
- File monitoring
- DLL monitoring
- Process monitoring
- Named Pipes
Process monitoring is a minimum requirement for reliably detecting Process Injection. Even though injection can be invisible to some forms of process monitoring, the effects of the injection can become harder to miss once you compare process behaviors against expected functionality.
If possible, monitor API system calls that include CreateRemoteThread in Windows. This will indicate a process is using the Windows API to inject code into another process. Security teams should monitor for the
ptrace system calls on Linux as well.
The detection of Process Injection involves hunting for legitimate processes doing unexpected things. This may involve processes making external network connections and writing files, or it may involve processes spawning with unexpected command-line arguments.
Some good examples of odd behavior within a process include:
- Svchost.exe making network connections on tcp/447 and tcp/449
- Notepad.exe making external network connections
- Mshta.exe calling CreateRemoteThread to inject code
Some good examples of odd paths or command lines that may indicate injection:
- Rundll32.exe, regasm.exe, regsvr32.exe, regsvcs.exe, svchost.exe, and werfault.exe process executions without command-line options may indicate they are targets of process injection.
- Microsoft processes such as vbc.exe with command lines including
/stext may indicate the injection of Nirsoft tools for credential access
- Linux processes with
memfd: in their path indicate they were spawned from code injected into another process.
Specific to TrickBot, we have two behavioral analytics that look for untrusted processes launching svchost.exe. Collectively, these two analytics—on their own and in tandem—uncovered more than 4,200 confirmed threats. A third analytic looks for a mix of svchost.exe injection and network connections. It converted into a confirmed threat nearly 2,500 times.
In addition, adversaries may modify some files or environment variables on macOS and Linux systems to signal intent for Process Injection:
- On macOS, modifying the
DYLD_INSERT_LIBRARIES environment variable may allow injection.
- On Linux systems, modifying the
/etc/ld.so.preload file or the environment variables
LD_LIBRARY_PATH may allow injection.
Weeding out false positives
The analytics that produced the most false positives came from looking for CreateRemoteThread calls from any and all processes. Many tools in Windows use Process Injection legitimately for debugging and virtualization. If you want to write analytics around this API call, focus them on unusual source processes, such as Microsoft Office products and tools that commonly deliver first-stage malware like scripts and Mshta.