Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Process Injection:  Внедрение DLL-библиотек

Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process. DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). (Citation: Elastic Process Injection July 2017) Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary).(Citation: Elastic HuntingNMemory June 2017)(Citation: Elastic Process Injection July 2017) Another variation of this method, often referred to as Module Stomping/Overloading or DLL Hollowing, may be leveraged to conceal injected code within a process. This method involves loading a legitimate DLL into a remote process then manually overwriting the module's AddressOfEntryPoint before starting a new thread in the target process.(Citation: Module Stomping for Shellcode Injection) This variation allows attackers to hide malicious injected code by potentially backing its execution with a legitimate DLL file on disk.(Citation: Hiding Malicious Code with Module Stomping) Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process.

ID: T1055.001
Относится к технике:  T1055
Тактика(-и): Defense Evasion, Privilege Escalation
Платформы: Windows
Требуемые разрешения: User
Источники данных: Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Версия: 1.3
Дата создания: 14 Jan 2020
Последнее изменение: 11 Aug 2023

Примеры процедур

Название Описание
Heyoka Backdoor

Heyoka Backdoor can inject a DLL into rundll32.exe for execution.(Citation: SentinelOne Aoqin Dragon June 2022)

Saint Bot

Saint Bot has injected its DLL component into `EhStorAurhn.exe`.(Citation: Malwarebytes Saint Bot April 2021)

Emissary

Emissary injects its DLL file into a newly spawned Internet Explorer process.(Citation: Lotus Blossom Dec 2015)

Remsec

Remsec can perform DLL injection.(Citation: Kaspersky ProjectSauron Technical Analysis)

DarkTortilla

DarkTortilla can use a .NET-based DLL named `RunPe6` for process injection.(Citation: Secureworks DarkTortilla Aug 2022)

BlackEnergy

BlackEnergy injects its DLL component into svchost.exe.(Citation: F-Secure BlackEnergy 2014)

Turla

Turla has used Metasploit to perform reflective DLL injection in order to escalate privileges.(Citation: ESET Turla Mosquito May 2018)(Citation: Github Rapid7 Meterpreter Elevate)

PS1

PS1 can inject its payload DLL Into memory.(Citation: BlackBerry CostaRicto November 2020)

Koadic

Koadic can perform process injection by using a reflective DLL.(Citation: Github Koadic)

RARSTONE

After decrypting itself in memory, RARSTONE downloads a DLL file from its C2 server and loads it in the memory space of a hidden Internet Explorer process. This “downloaded” file is actually not dropped onto the system.(Citation: Camba RARSTONE)

Cobalt Strike

Cobalt Strike has the ability to load DLLs via reflective injection.(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)

SDBbot

SDBbot has the ability to inject a downloaded DLL into a newly created rundll32.exe process.(Citation: Proofpoint TA505 October 2019)

Metamorfo

Metamorfo has injected a malicious DLL into the Windows Media Player process (wmplayer.exe).(Citation: Medium Metamorfo Apr 2020)

ComRAT

ComRAT has injected its orchestrator DLL into explorer.exe. ComRAT has also injected its communications module into the victim's default browser to make C2 connections appear less suspicious as all network connections will be initiated by the browser process.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020)

Socksbot

Socksbot creates a suspended svchost process and injects its DLL into it.(Citation: TrendMicro Patchwork Dec 2017)

Bumblebee

The Bumblebee loader can support the `Dij` command which gives it the ability to inject DLLs into the memory of other processes.(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)

Lizar

Lizar has used the PowerKatz plugin that can be loaded into the address space of a PowerShell process through reflective DLL loading.(Citation: BiZone Lizar May 2021)

Malteiro

Malteiro has injected Mispadu’s DLL into a process.(Citation: SCILabs Malteiro 2021)

FunnyDream

The FunnyDream FilepakMonitor component can inject into the Bka.exe process using the `VirtualAllocEx`, `WriteProcessMemory` and `CreateRemoteThread` APIs to load the DLL component.(Citation: Bitdefender FunnyDream Campaign November 2020)

Maze

Maze has injected the malware DLL into a target process.(Citation: McAfee Maze March 2020)(Citation: Sophos Maze VM September 2020)

Matryoshka

Matryoshka uses reflective DLL injection to inject the malicious library and