Внедрение кода в процессы
Sub-techniques (12)
Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.
Примеры процедур |
|
Название | Описание |
---|---|
Agent Tesla |
Agent Tesla can inject into known, vulnerable binaries on targeted hosts.(Citation: SentinelLabs Agent Tesla Aug 2020) |
Lizar |
Lizar can migrate the loader into another process.(Citation: BiZone Lizar May 2021) |
SLOTHFULMEDIA |
SLOTHFULMEDIA can inject into running processes on a compromised host.(Citation: CISA MAR SLOTHFULMEDIA October 2020) |
IronNetInjector |
IronNetInjector can use an IronPython scripts to load a .NET injector to inject a payload into its own or a remote process.(Citation: Unit 42 IronNetInjector February 2021 ) |
DUSTTRAP |
DUSTTRAP compromises the `.text` section of a legitimate system DLL in `%windir%` to hold the contents of retrieved plug-ins.(Citation: Google Cloud APT41 2024) |
BADHATCH |
BADHATCH can inject itself into an existing explorer.exe process by using `RtlCreateUserThread`.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021) |
HyperBro |
HyperBro can run shellcode it injects into a newly created process.(Citation: Unit42 Emissary Panda May 2019) |
Sliver |
Sliver can inject code into local and remote processes.(Citation: Bishop Fox Sliver Framework August 2019)(Citation: GitHub Sliver C2) |
Bazar |
Bazar can inject code through calling |
Silence |
Silence has injected a DLL library containing a Trojan into the fwmain32.exe process.(Citation: Group IB Silence Sept 2018) |
TSCookie |
TSCookie has the ability to inject code into the svchost.exe, iexplorer.exe, explorer.exe, and default browser processes.(Citation: JPCert BlackTech Malware September 2019) |
REvil |
REvil can inject itself into running processes on a compromised host.(Citation: McAfee REvil October 2019) |
Donut |
Donut includes a subproject |
BBK |
BBK has the ability to inject shellcode into svchost.exe.(Citation: Trend Micro Tick November 2019) |
During Cutting Edge, threat actors used malicious SparkGateway plugins to inject shared objects into web process memory on compromised Ivanti Secure Connect VPNs to enable deployment of backdoors.(Citation: Mandiant Cutting Edge Part 3 February 2024) |
|
GuLoader |
GuLoader has the ability to inject shellcode into a donor processes that is started in a suspended state. GuLoader has previously used RegAsm as a donor process.(Citation: Medium Eli Salem GuLoader April 2021) |
Honeybee |
Honeybee uses a batch file to load a DLL into the svchost.exe process.(Citation: McAfee Honeybee) |
APT32 |
APT32 malware has injected a Cobalt Strike beacon into Rundll32.exe.(Citation: Cybereason Cobalt Kitty 2017) |
Wizard Spider |
Wizard Spider has used process injection to execute payloads to escalate privileges.(Citation: Mandiant FIN12 Oct 2021) |
ANDROMEDA |
ANDROMEDA can inject into the `wuauclt.exe` process to perform C2 actions.(Citation: Mandiant Suspected Turla Campaign February 2023) |
COATHANGER |
COATHANGER includes a binary labeled `authd` that can inject a library into a running process and then hook an existing function within that process with a new function from that library.(Citation: NCSC-NL COATHANGER Feb 2024) |
AuditCred |
AuditCred can inject code from files to other running processes.(Citation: TrendMicro Lazarus Nov 2018) |
gh0st RAT |
gh0st RAT can inject malicious code into process created by the “Command_Create&Inject” function.(Citation: Gh0stRAT ATT March 2019) |
NETWIRE |
NETWIRE can inject code into system processes including notepad.exe, svchost.exe, and vbc.exe.(Citation: Red Canary NETWIRE January 2020) |
Backdoor.Oldrea |
Backdoor.Oldrea injects itself into explorer.exe.(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021) |
Remcos |
Remcos has a command to hide itself through injecting |