Technique T1055

Process Injection

Process Injection was the most common threat we observed in our customers’ environments in 2019, largely because TrickBot uses the technique to run arbitrary code through the Windows Service Host (svchost.exe).


#1

Overall rank

35%

Organizations affected

2734

Confirmed threats

Analysis

Process Injection rose to the top of our rankings due to widespread TrickBot and Emotet outbreaks in late 2018 that continued through 2019.

Why do adversaries use Process Injection?

Process Injection tops our list as the most common ATT&CK technique across our customer base due to a very specific threat: TrickBot. However, the technique is actually quite versatile, facilitating a range of actions as broad as nearly any other ATT&CK technique. Categorized under both Defense Evasion and Privilege Escalation, Process Injection is arguably an Execution technique as well.

Process Injection is a technique whereby an adversary is able to carry out some nefarious activity in the context of a legitimate process. In this way, malicious activity—whether it’s an overtly malicious binary or a process that’s been co-opted as such—blends in with routine operating system processes.

Stealth, however, is just one of the benefits of Process Injection. Its most useful function may be that arbitrary code, once injected into a legitimate process, can inherit the privileges of that process or, similarly, access parts of the operating system that shouldn’t be otherwise available.

How do adversaries use Process Injection?

In the environments we monitor, the vast majority of Process Injection activity results from TrickBot infections. Specifically, TrickBot launches svchost.exe and then uses Process Injection to carry out malicious activity.

Some other common variations of Process Injection include:

  • Remotely injecting code libraries into running processes
  • Using seemingly benign processes such as notepad.exe to make external network connections and later injecting code that performs malicious actions
  • Leveraging Microsoft Office applications to create RemoteThread injections into dllhost.exe for the purposes of conducting attacks with malicious macros
  • Cross-process injection initiated by lsass.exe into taskhost.exe
  • Metasploit injecting itself into processes such as svchost.exe to avoid suspicion and increase stability
  • Injecting code into a browser process to enable snooping on a user’s browsing session, which is a common characteristic of banking and other credential-stealing trojans

In addition to TrickBot, we have also seen the following malware families carry out Process Injection:

  • PlugX
  • Dridex
  • Emotet
  • AgentTesla
  • Hancitor
  • Ursnif/Dreambot

Sighted with

We most commonly see Process Injection occurring in tandem with Scheduled Tasks (T1053) across our customer base because TrickBot sometimes uses Scheduled Tasks for persistence.

We also often see Process Injection paired with Remote File Copy (T1105) and Windows Admin Shares (T1077). Code injected into TrickBot downloads additional libraries for execution, explaining its occurrence with Remote File Copy, while TrickBot and common follow-on trojan Emotet use Windows Admin Shares to move laterally on an infected network.

Far less often we see Process Injection alongside Uncommonly Used Port (T1509)—likely because code injected by TrickBot may communicate on tcp/447 and tcp/449 for command and control—and Mshta (T1170). The latter is the result of newer .NET exploitation tools such as DotNetToJScript and CACTUSTORCH that allow attackers to inject code from HTML Applications.

Definition

Detection

MITRE’s data sources

  • API monitoring
  • Windows Registry
  • File monitoring
  • DLL monitoring
  • Process monitoring
  • Named Pipes

Collection requirements

Process monitoring

Process monitoring is a minimum requirement for reliably detecting Process Injection. Even though injection can be invisible to some forms of process monitoring, the effects of the injection can become harder to miss once you compare process behaviors against expected functionality.

API monitoring

If possible, monitor API system calls that include CreateRemoteThread in Windows. This will indicate a process is using the Windows API to inject code into another process. Security teams should monitor for the ptrace system calls on Linux as well.

Detection suggestions

The detection of Process Injection involves hunting for legitimate processes doing unexpected things. This may involve processes making external network connections and writing files, or it may involve processes spawning with unexpected command-line arguments.

Some good examples of odd behavior within a process include:

  • Svchost.exe making network connections on tcp/447 and tcp/449
  • Notepad.exe making external network connections
  • Mshta.exe calling CreateRemoteThread to inject code

Some good examples of odd paths or command lines that may indicate injection:

  • Rundll32.exe, regasm.exe, regsvr32.exe, regsvcs.exe, svchost.exe, and werfault.exe process executions without command-line options may indicate they are targets of process injection.
  • Microsoft processes such as vbc.exe with command lines including /scomma, /shtml, or /stext may indicate the injection of Nirsoft tools for credential access
  • Linux processes with memfd: in their path indicate they were spawned from code injected into another process.

Specific to TrickBot, we have two behavioral analytics that look for untrusted processes launching svchost.exe. Collectively, these two analytics—on their own and in tandem—uncovered more than 4,200 confirmed threats. A third analytic looks for a mix of svchost.exe injection and network connections. It converted into a confirmed threat nearly 2,500 times.

In addition, adversaries may modify some files or environment variables on macOS and Linux systems to signal intent for Process Injection:

  • On macOS, modifying the DYLD_INSERT_LIBRARIES environment variable may allow injection.
  • On Linux systems, modifying the /etc/ld.so.preload file or the environment variables LD_PRELOAD or LD_LIBRARY_PATH may allow injection.

Weeding out false positives

The analytics that produced the most false positives came from looking for CreateRemoteThread calls from any and all processes. Many tools in Windows use Process Injection legitimately for debugging and virtualization. If you want to write analytics around this API call, focus them on unusual source processes, such as Microsoft Office products and tools that commonly deliver first-stage malware like scripts and Mshta.

Testing

Getting Started With Atomic Red Team

Start testing your defenses against Process Injection using Atomic Red Team—an open source testing framework of small, highly portable detection tests mapped to MITRE ATT&CK.

Getting started

View Atomic tests for T1055: Process Injection. In most environments, these should be sufficient to generate a useful signal for defenders.

Run this test on a Windows system using PowerShell:
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/src/x64/T1055.dll" -OutFile "$env:TEMP\T1055.dll"

$mypid = (get-process spoolsv).id
mavinject $mypid /INJECTRUNNING $env:\TEMP\T1055.dll
Useful telemetry will include:
Data sourceTelemetry
Data source:

Process monitoring

Telemetry:

powershell.exe, mavinject.exe

Data source:

DLL monitoring

Telemetry:

T1055.dll

Data source:

API monitoring

Telemetry:

VirtualAllocEx, WriteProcessMemory, CreateRemoteThread

Review and repeat

Now that you have executed one or several common tests and checked for the expected results, it’s useful to answer some immediate questions:

  • Were any of your actions detected?
  • Were any of your actions blocked or prevented
  • Were your actions visible in logs or other defensive telemetry?

Repeat this process, performing additional tests related to this technique. You can also create and contribute tests of your own.

Jason Killam
Detection Engineer
The detection strategies in this section were brought to you by Jason Killam, who works on Red Canary's Cyber Incident Response Team (CIRT) as a detection engineer. Prior to that, Jason worked as an incident responder for security teams in the financial sector.
The detection strategies in this section were brought to you by Jason Killam, who works on Red Canary's Cyber Incident Response Team (CIRT) as a detection engineer. Prior to that, Jason worked as an incident responder for security teams in the financial sector.