Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Асинхронный вызов процедур
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Асинхронный вызов процедур
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Process Injection:  Асинхронный вызов процедур

ID Название
.001 Внедрение DLL-библиотек
.002 Внедрение PE-образа
.003 Перехват выполнения потока
.004 Асинхронный вызов процедур
.005 Локальная память потока
.008 Системные вызовы ptrace
.009 Внедрение через файловую систему /proc
.011 Внедрение в дополнительную память окна (EWM)
.012 Внедрение в пустой процесс
.013 Process Doppelgänging
.014 Перехват виртуального динамического общего объекта (VDSO)
.015 Внедрение списков

Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process. APC injection is commonly performed by attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process's thread. Queued APC functions are executed when the thread enters an alterable state.(Citation: Microsoft APC) A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point QueueUserAPC can be used to invoke a function (such as LoadLibrayA pointing to a malicious DLL). A variation of APC injection, dubbed "Early Bird injection", involves creating a suspended process in which malicious code can be written and executed before the process' entry point (and potentially subsequent anti-malware hooks) via an APC. (Citation: CyberBit Early Bird Apr 2018) AtomBombing (Citation: ENSIL AtomBombing Oct 2016) is another variation that utilizes APCs to invoke malicious code previously written to the global atom table.(Citation: Microsoft Atom Table) Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via APC injection may also evade detection from security products since the execution is masked under a legitimate process.

ID: T1055.004
Относится к технике:  T1055
Тактика(-и): Defense Evasion, Privilege Escalation
Платформы: Windows
Источники данных: Process: OS API Execution, Process: Process Access, Process: Process Modification
Версия: 1.1
Дата создания: 14 Jan 2020
Последнее изменение: 18 Oct 2021

Примеры процедур
Название Описание
TURNEDUP

TURNEDUP is capable of injecting code into the APC queue of a created Rundll32 process as part of an "Early Bird injection."(Citation: CyberBit Early Bird Apr 2018)
Pillowmint

Pillowmint has used the NtQueueApcThread syscall to inject code into svchost.exe.(Citation: Trustwave Pillowmint June 2020)
InvisiMole

InvisiMole can inject its code into a trusted process via the APC queue.(Citation: ESET InvisiMole June 2020)
Bumblebee

Bumblebee can use asynchronous procedure call (APC) injection to execute commands received from C2.(Citation: Proofpoint Bumblebee April 2022)
Saint Bot

Saint Bot has written its payload into a newly-created `EhStorAuthn.exe` process using `ZwWriteVirtualMemory` and executed it using `NtQueueApcThread` and `ZwAlertResumeThread`.(Citation: Malwarebytes Saint Bot April 2021)
Carberp

Carberp has queued an APC routine to explorer.exe by calling ZwQueueApcThread.(Citation: Prevx Carberp March 2011)
IcedID

IcedID has used ZwQueueApcThread to inject itself into remote processes.(Citation: IBM IcedID November 2017)
FIN8

FIN8 has injected malicious code into a new svchost.exe process.(Citation: Bitdefender FIN8 July 2021)
Attor

Attor performs the injection by attaching its code into the APC queue using NtQueueApcThread API.(Citation: ESET Attor Oct 2019)

Контрмеры
Контрмера Описание
Behavior Prevention on Endpoint

Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.

Обнаружение

Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017) Analyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior.

Ссылки

  1. Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.
  2. Microsoft. (n.d.). About Atom Tables. Retrieved December 8, 2017.
  3. Liberman, T. (2016, October 27). ATOMBOMBING: BRAND NEW CODE INJECTION FOR WINDOWS. Retrieved December 8, 2017.
  4. Gavriel, H. & Erbesfeld, B. (2018, April 11). New ‘Early Bird’ Code Injection Technique Discovered. Retrieved May 24, 2018.
  5. Microsoft. (n.d.). Asynchronous Procedure Calls. Retrieved December 8, 2017.
  6. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020.
  7. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
  8. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022.
  9. Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.
  10. Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021.
  11. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  12. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  13. Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
Навигация

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.