T1055.001: Dynamic-link Library Injection
Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.
DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx
and WriteProcessMemory
, then invoked with CreateRemoteThread
(which calls the LoadLibrary
API responsible for loading the DLL).
Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary
).
Another variation of this method, often referred to as Module Stomping/Overloading or DLL Hollowing, may be leveraged to conceal injected code within a process. This method involves loading a legitimate DLL into a remote process then manually overwriting the module's AddressOfEntryPoint
before starting a new thread in the target process. This variation allows attackers to hide malicious injected code by potentially backing its execution with a legitimate DLL file on disk.
Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_cred_access: PT-CR-768: Intercept_Creds_from_MSTSC: Unloading of credentials used in mstsc.exe during an RDP connection is detected
mitre_attck_cred_access: PT-CR-770: Lsass_DLL_Injection: A library was injected into the Local Security Authority Subsystem Service (LSASS) process. After a user logs in, the system creates various credentials and stores them in the LSASS process memory.
vulnerabilities: PT-CR-2314: CVE_2024_21378_Outlook_RCE: Exploitation of vulnerability CVE-2024-21378 in Outlook. The vulnerability allows code execution using Outlook forms.
vulnerabilities: PT-CR-682: CVE_2022_26503_Subrule_1: An unsigned library was loaded into the Veeam.EndPoint.Manager process
vulnerabilities: PT-CR-683: CVE_2022_26503_Subrule_2: Process Veeam.EndPoint.Service started another process
hacking_tools: PT-CR-760: SharpRDPThief_Usage: Use of SharpRDPThief to save RDP session credentials is detected
hacking_tools: PT-CR-762: Subrule_MSTSC_SharpRDPThief_Usage: Injection of the Easyhook.dll and Easyload.dll libraries into the mstsc.exe process is detected
hacking_tools: PT-CR-763: Subrule_Thread_SharpRDPThief_Usage: Connection of the Easyhook.dll library to a malicious process and creation of threads in mstsc.exe by the process is detected
hacking_tools: PT-CR-1726: Havoc_Powerpick: A suspicious process infiltrated process werfault.exe, which may indicate the use of the Havoc software that allows to covertly execute PowerShell commands
hacking_tools: PT-CR-754: Cobalt_Strike_Service_Move: Use of BOF (ServiceMove) for Cobalt Strike is detected
mitre_attck_defense_evasion: PT-CR-454: Dnscmd_AWL_Bypass: An attempt to bypass application-start restrictions by using the built-in Microsoft Windows utility dnscmd.exe (a command-line interface for managing DNS servers)
mitre_attck_privilege_escalation: PT-CR-460: DLL_Hijacking: An attempt to elevate account privileges by loading a malicious library is detected
Detection
ID | DS0009 | Data source and component | Process: OS API Execution | Description | Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as Search for remote thread creations that start at LoadLibraryA or LoadLibraryW. Depending on the tool, it may provide additional information about the DLL string that is an argument to the function. If there is any security software that legitimately injects DLLs, it must be carefully whitelisted. Microsoft Windows allows for processes to remotely create threads within other processes of the same privilege level. This functionality is provided via the Windows API CreateRemoteThread. Both Windows and third-party software use this ability for legitimate purposes. For example, the Windows process csrss.exe creates threads in programs to send signals to registered callback routines. Both adversaries and host-based security software use this functionality to inject DLLs, but for very different purposes. An adversary is likely to inject into a program to evade defenses or bypass User Account Control, but a security program might do this to gain increased monitoring of API calls. One of the most common methods of DLL Injection is through the Windows API LoadLibrary.
This behavior can be detected by looking for thread creations across processes, and resolving the entry point to determine the function name. If the function is LoadLibraryA or LoadLibraryW, then the intent of the remote thread is clearly to inject a DLL. When this is the case, the source process must be examined so that it can be ignored when it is both expected and a trusted process. |
---|
ID | DS0009 | Data source and component | Process: Process Metadata | Description | Monitor for process memory inconsistencies compared to DLL files on disk by checking memory ranges against a known copy of the legitimate module. |
---|
ID | DS0009 | Data source and component | Process: Process Access | Description | Monitor for process being viewed that may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. |
---|
ID | DS0009 | Data source and component | Process: Process Modification | Description | Monitor for changes made to processes that may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. Injecting a malicious DLL into a process is a common adversary TTP. Although the ways of doing this are numerous, mavinject.exe is a commonly used tool for doing so because it roles up many of the necessary steps into one, and is available within Windows. Attackers may rename the executable, so we also use the common argument “INJECTRUNNING” as a related signature here. Whitelisting certain applications may be necessary to reduce noise for this analytic. Analytic 1 - DLL Injection with Mavinject
|
---|
ID | DS0011 | Data source and component | Module: Module Load | Description | Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. Sysmon Event ID 7 (Image loaded) can be used to monitor the loading of DLLs into processes. This is a particularly noisy event and can generate a large volume of data, so we recommend baselining and filtering out any known benign processes and module loads to help reduce the number of events that are produced. |
---|
Mitigation
ID | M1040 | Name | Behavior Prevention on Endpoint | Description | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
---|