Why do adversaries use Process Injection?
Note: Process Injection comprises multiple sub-techniques, but we largely map our detection analytics to the parent. As such, this section focuses generally on the overall technique and not on any individual sub-techniques.
Process Injection is a versatile technique that adversaries leverage to perform a wide range of malicious activity. It’s so versatile that ATT&CK includes 12 sub-techniques of Process Injection. Adversaries perform process injection because it allows them to execute malicious activity by proxy through processes that either have information of value (e.g.,
lsass.exe) or that blend in with benign operating system activity.
In addition to being stealthy, code can inherit the privilege level of the process it’s injected into and gain access to parts of the operating system that shouldn’t be otherwise available. Another added benefit of process injection is that it allows payloads to be launched within the memory space of a running process without needing to drop any malicious code to disk.
For example, you may be able to build a high-fidelity detection analytic that triggers any time PowerShell makes an external network connection. However, to avoid this method of detection, an adversary might inject their PowerShell process into a browser. In doing so, they’ve taken a potentially suspicious behavior—PowerShell making an external network connection—and replaced it with a seemingly normal behavior—a browser making an external network connection. What was detectable based on process lineage and network connections before process injection now relies on a mix of command-line parameters and binary metadata, to name a couple of telemetry sources.
How do adversaries use Process Injection?
With 12 sub-techniques, there’s no shortage of ways that an adversary can perform Process Injection. However, most of the injection behaviors we detect can be classified into just two categories:
- Evasion: Adversaries inject into a process that is functionally necessary and can’t be killed, that naturally makes high volumes of network connections or module loads, or that allows an adversary to perform an action that seems suspicious in the context of one process but benign in the context of another (e.g., making a network connection).
- Data theft: Adversaries inject into a process that gives them the ability to harvest sensitive information like credentials or otherwise abuse the capabilities of that process.
Across our data set, PowerShell is the most common culprit of process injection, and it injects into many processes to achieve many different goals. Some other process injectors include Microsoft Office applications,
Inversely, we detect adversaries injecting into a long list of processes, including the following:
lsass.exe (credential theft)
svchost.exe (evasion and credential theft)
backgroundtaskhost.exe (application control bypass)
dllhost.exe (commonly used to host COM components, adversaries often inject into this process in order to blend in to a process that executes often and is expected to have a short lifetime)
regsvr32.exe (application control bypass and other evasion)
searchprotocolhost.exe (application control bypass and other evasion).
- browser processes (normalizing network connections, info stealing/banking trojans)
The prevalence of process injection is buoyed in part by popular and widely available malware kits like Cobalt Strike, Metasploit, and other offensive tools that considerably lower the barrier of entry. What once existed mostly in the domain of more capable adversaries has since trickled down to nearly everyone else.