Breaking down process injection (T1055)

What is process injection?

Cyberattacks, from a broad perspective, can be classified into two phases. The first phase involves breaking into the network perimeter while the second phase involves moving around the target network. During the second phase, the attacker prefers to stay under the radar and employs various techniques to achieve the same.

One defense evasion technique (ID: TA0005) of the MITRE ATT&CK framework that attackers use is process injection (ID: T1055). It entails running a custom code within the address space of another process. Since the execution is hidden behind a legitimate process, process injection can go undetected.

Understanding process injection

Process injection involves inputting malicious code to a web application with which the user interacts. The injected code runs in the target process and manipulates its behavior. It can give access to sensitive data or exploit the system's resources.

Let's look more in depth at the process injection technique with the help of a use case to better understand how it works.

Consider an adversary who's trying to extract login credentials and perform unauthorized transactions on a banking application. They can employ process injection for their task.

Breaking down the steps involved in process injection:

• Target selection: The attacker looks out for a target process and selects one based on its privileges.
• Reconnaissance: The target system is researched upon and potential vulnerabilities are identified.
• Allocating memory: The attacker allocates memory within the target process to hold the malicious code.
• Code injection: Threat actors come up with malicious code to inject into the target process. This injection can be done using various techniques.
• Execution: Following successful injection, the code performs actions like privilege escalation, data theft, command execution, etc.
• Evasion: The injected code uses different evasion tactics to circumvent security systems.

Process injection techniques

Process injection can be performed by employing many sub tactics like dynamic link library (DLL) injection, process hallowing, portable executable injection, extra window memory injection, etc. Among all, DLL injection is the most popular technique used by threat actors.

DLL injection is a technique where a specific type of file, a DLL, is introduced into a target software process. A process is simply a running instance of a software program. By injecting a DLL into a process, the injector can access the process's memory and use its resources. This is because DLLs are files that hold code that can be used by several programs at once.

While DLL injection can be used for normal operations, like making one program work smoothly with another, it can also be exploited for malicious purposes. Various methods can be employed to perform DLL injection, including techniques known as:

• Load library: This is a method to load and execute code from a DLL.
• Create remote thread: This is a window API that enables the injection of code into another process and runs it as a part of the same.
• SetWindowsHookEx: This is a function that is exploited to inject code into another process through installation of hook procedures.

Detecting and mitigating process injection

DLL injection attacks are quite stealthy and can therefore be challenging to detect. Nevertheless, having a good understanding of the attack mechanism can help us think of ways to discern it.

The following are some ways to spot DLL injection attacks:

• Identify unusual or unauthorized DLL loading and injection attempts by watching the relevant API calls. Function calls connected to DLL injection and loading can be tracked by using API hooking strategies.
• Build a database of hashes or signatures for known harmful DLLs and scan processes, memory, and loaded DLLs for matches against these signatures using antivirus or anti-malware tools.
• To spot suspicious activity, keep an eye on processes and the interactions among them. Identify processes that are acting strangely, injecting code into other processes, or loading DLLs from unusual locations.
• Look for any signs of DLL injection attacks in system logs. Watch out for anomalies, warnings, or unexpected DLL loading events that can point to an ongoing attack.

In order to mitigate DLL injection attacks, we can implement runtime defenses that can instantly identify and stop DLL injection threats and use endpoint security solutions that detect behavioral patterns. Setting up stringent input validation and sanitization controls to stop applications from processing untrusted data can help us stay safe. We can also take system hardening measures and restrict file permissions. However, no single measure can ensure complete defense against the attack. It is recommended to follow a tiered approach combining multiple security controls and user awareness.