One critical goal that malicious hackers face is hiding the activity of their malware. If detected, an attack campaign will be swiftly cut-short, erasing the foothold that attackers worked so hard to achieve. On the other hand, stealthy attacks increase an infection's dwell time and the chances that an attacker will successfully achieve their end goals by allowing them to do more thorough reconnaissance, identify higher value targets, move laterally, and eventually action on end-game targets.
The term Process Injection serves as an umbrella term for a class of cyber attack techniques that leverage the "trusted context" of legitimate processes. The inherently trusted context of legitimate processes offers an attacker a way to execute malicious code covertly - hidden from all but the most sophisticated defensive cyber security products. Since traditional defensive solutions such as anti-virus products focus on scanning files as they ingress a system or before they are executed rather than while they are operating, executing code in the context of a trusted process can bypass traditional defensive approaches. Process Injection can also serve other attacker tactics well such as privilege escalation and data theft by gaining the permissions of the hijacked process.
How Process Injection Attacks Work
Registers are high-speed storage locations in a CPU and are used to store temporary data, intermediate values, memory addresses, or control information during the execution of instructions by the processor. The execution context of a process includes critical security context such as the process's user security identifier (SID), privileges, access rights, and other user-specific attributes associated with the process. So, by manipulating a trusted process, an attacker can hijack the execution context that comes along with the exploited process and bypass some security checks that could potentially thwart the execution of the same malicious commands if they were executed as a new process directly associated with the malware's executable file.
Process Injection attack techniques are relatively advanced and share the common goal of altering the normal functioning of a process for malicious purposes.
Let's take a look at some different forms of Process Injection attacks:
Portable Execution (PE) Injection
In a PE Injection attack, the adversary first modifies the memory of a running process and then spawns and executes that exploited memory contents as a new thread. By spawning a new thread, the initial target process can more or less function as expected because the malicious code is spawned as a separate thread.
PE Injection requires the injected code to be "position independent" meaning it can be executed regardless of its absolute memory location such as shellcode or a reflective DLL. The malware Ramnit uses PE Injection technique and the penetration testing toolkit Cobalt Strike is also capable of this technique.
Process hollowing involves creating a new instance of a legitimate process in a suspended state, and then replacing its code and memory contents with malicious code before resuming the process from the suspended state.
The original process is "hollowed out" and runs the attacker's code instead. Process Hollowing is the most commonly used Process Injection attacks; Trickbot's main payload relies on process hollowing to avoid detection and elevate privileges.
Thread Local Storage (TLS)
The TLS technique exploits something known as the TLS directory which is in the PE header.
Because TLS attacks modify the PE's TLS directory, the exploit can take place before the target process is actually loaded. TLS attacks aim to simply change a pointer to a thread called *AddressOfCallbacks in the PE header, redirecting it to malicious code which will be executed before the target process is able to execute its own legitimate code. Ursnif is an example of malware that uses TLS in its exploit.
Dynamic-link Library (DLL) Injection
DLL Injection is achieved by injecting a DLL executable code into the virtual address space of a target process and then spawns a new threat from the target process that is pointed to the entry point address of the injected DLL.
DLL Injection is similar to PE injection except that the executable code is in DLL executable rather than a PE format.
How EDR Defends Against Process Injection
Endpoint Detection and Response (EDR) solutions can help identify and respond to Process Injection attacks because they can proactively monitor processes in real-time and utilize behaviour-based analysis, and machine learning(ML) algorithms for heuristic analysis to identify when a process is behaving abnormally such as referencing native Windows APIs out of context.
Extended Detection and Response (XDR) is not only able to monitor each endpoint for advanced attacks but also shares data between endpoints to increase protection across an entire IT environment.
Process injection is a sophisticated class of cyber attacks that leverages trusted processes to execute malicious code covertly, and also potentially hijack the privileges of the target process. Techniques like process hollowing, TLS, PE injection, and DLL injection simply cannot be detected by traditional anti-virus products because these products only assess the contents of files looking for malicious code, but do not assess the behaviour of running processes or contents of executable memory space.
Advanced security products such as EDR/XDR are crucial for detecting and defending against advanced threats such as Process Injection attacks because they are capable of real-time process context analysis.
Ready to protect your organization against stealthy cyberattacks? Find infrastructure weaknesses others overlook through 95% manual pentesting, or reach out to our ethical hackers today for a free, zero-obligation quote.
Have Questions? Need a Quote?
Contact our team today to see how we can help improve your security posture. Get a no-obligation quote and a copy of our sample report to help you get started.