In the ever-evolving world of cyber threats, one tactic has remained consistently popular among attackers: Process Injection. Identified by the MITRE ATT&CK framework as a common technique used in malware, Process Injection involves running custom code within the memory space of another process. This method is also known as fileless malware, as it doesn’t require malicious code to be written to disk, making it harder to detect.
What is Process Injection?
Process Injection is a defense evasion technique in which an attacker injects malicious code into the memory space of a live process. This enables them to execute arbitrary code under the guise of a legitimate process, potentially granting them access to system and network resources, and possibly elevated privileges. Consequently, this technique can be used to evade detection from security products, as the malicious code’s execution is masked under a legitimate process.
A significant advantage of Process Injection for attackers is that it enables payloads to be executed without requiring the malicious code to be written to disk. This technique can be particularly effective when the injected code is run within processes that either contain valuable information or blend in with normal operating system operations. This blending of malicious activity with normal operations makes detection even more challenging.
Despite the broad range of process injection techniques available, the following are some of the most commonly utilized:
- DLL Injection
- P.E. Injection
- Process Hollowing
- Hook Injection
Process Injection Techniques Explained
DLL Injection is one of the most common techniques of process injection. This method involves injecting a malicious Dynamic Link Library (DLL) into a running process’s memory space. Once loaded, the malicious DLL code can execute within the context of the running process, giving it the same access rights as the process.
Portable Executable (PE) Injection is another common technique. It involves injecting an entire PE file (which could be a DLL or an EXE) into the memory space of another process. This technique is more complicated than DLL Injection, as it requires the attacker to manually map the PE file into the target process’s memory.
Process Hollowing, also known as RunPE, is a more advanced technique. It involves creating a new process in a suspended state, hollowing out the memory of that process, and then running the malicious code in that hollowed-out space. This technique can be harder to detect, as the malicious code runs within what seems to be a legitimate process.
Hook Injection is another method that leverages Windows hook procedures, which allow the interception of certain types of events, such as mouse clicks or keystrokes. In this technique, the attacker installs a hook procedure to intercept events and injects the malicious code into that hook procedure.
AppInit_DLLs is a registry value that specifies DLLs to be loaded into each process that calls the User32.dll library. Attackers can exploit this feature by adding the pathname of a malicious DLL to this registry value, causing the DLL to be loaded into every process that uses User32.dll. This technique is particularly powerful because User32.dll is used by many applications, potentially allowing the attacker to inject their code into numerous processes.
The Attacker’s Perspective
From an attacker’s perspective, Process Injection offers several key advantages. One of the primary advantages is that it allows them to misuse standard Windows processes, making it challenging for defenders to identify the attack. Some of the commonly exploited processes include “explorer.exe”, “svchost.exe”, “regsvr32.exe”, “dllhost.exe”, “services.exe”, “cvtres.exe”, “msbuild.exe”, “# The text has been cut off. Let’s search for common Windows processes exploited in process injection attacks to complete the section. Search (“commonly exploited Windows processes in process injection attacks”) powershell.exe”, and “cmd.exe”. These processes are generally trusted by security solutions and are ubiquitous in a Windows environment, which makes them misuse all the more dangerous.
Another advantage is that Process Injection can be used to gain persistence on a system. By injecting malicious code into a process that is automatically started when the system boots, an attacker can ensure their code is run each time the system starts. This can make removal of the injected code more difficult and allow the attacker to maintain access to the system over a prolonged period.
Defense Against Process Injection Attacks
Defending against Process Injection attacks can be challenging due to the technique’s stealthy nature and the legitimate uses of many of the system features it exploits. However, there are several strategies that organizations can employ to help protect against these attacks.
One of the most effective defenses against process injection attacks is proper patch management. Many process injection techniques rely on exploiting vulnerabilities in software that have been patched by the software vendor. Therefore, regularly updating and patching software can significantly reduce the attack surface for process injection attacks. For example, the most commonly exploited vulnerabilities in 2020 and 2021 were in everyday IT tools that had available patches1.
Least Privilege Principle
Adopting the principle of least privilege can also help to reduce the potential damage of a process injection attack. This principle involves limiting the permissions of each user and process on a system to the minimum they require to perform their function. By doing so, even if an attacker is able to inject code into a process, they may be limited in what they can do if the process has limited privileges.
Anomaly detection can also be a useful tool in identifying process injection attacks. This involves monitoring system behavior and flagging any activity that deviates significantly from the norm. For example, if a normally low-resource process suddenly starts using a large amount of system resources, this could be an indication of a process injection attack.
Endpoint Security Solutions
Endpoint security solutions that incorporate behavior-based detection capabilities can be effective at detecting and mitigating process injection attacks. These solutions monitor system behavior and use machine learning algorithms to identify anomalous activity that could indicate a process injection attack.
Regular auditing of system logs can help identify signs of process injection attacks. This could include looking for unusual process activity, such as processes launching other processes or unexpected network connections being established.
Process Injection is a powerful technique used by attackers to evade detection and gain persistence on a system. By understanding the methods used in these attacks and implementing robust defensive measures, organizations can significantly reduce their risk of falling victim to this type of attack.
However, it’s crucial to keep in mind that attackers are always evolving their techniques and looking for new vulnerabilities to exploit. Therefore, maintaining a strong security posture requires continuous monitoring, regular patching, and staying up-to-date with the latest threat intelligence1.