Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Process Injection:  Внедрение в пустой процесс

Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process. Process hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as CreateProcess, which includes a flag to suspend the processes primary thread. At this point the process can be unmapped using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection before being written to, realigned to the injected code, and resumed via VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.(Citation: Leitch Hollowing)(Citation: Elastic Process Injection July 2017) This is very similar to Thread Local Storage but creates a new process rather than targeting an existing process. This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process hollowing may also evade detection from security products since the execution is masked under a legitimate process.

ID: T1055.012
Относится к технике:  T1055
Тактика(-и): Defense Evasion, Privilege Escalation
Платформы: Windows
Требуемые разрешения: User
Источники данных: Process: OS API Execution, Process: Process Access, Process: Process Creation, Process: Process Modification
Версия: 1.3
Дата создания: 14 Jan 2020
Последнее изменение: 12 Sep 2024

Примеры процедур

Название Описание
Gorgon Group

Gorgon Group malware can use process hollowing to inject one of its trojans into another process.(Citation: Unit 42 Gorgon Group Aug 2018)

IcedID

IcedID can inject a Cobalt Strike beacon into cmd.exe via process hallowing.(Citation: DFIR_Quantum_Ransomware)

Threat Group-3390

A Threat Group-3390 tool can spawn `svchost.exe` and inject the payload into that process.(Citation: Nccgroup Emissary Panda May 2018)(Citation: Securelist LuckyMouse June 2018)

RCSession

RCSession can launch itself from a hollowed svchost.exe process.(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020)

Denis

Denis performed process hollowing through the API calls CreateRemoteThread, ResumeThread, and Wow64SetThreadContext.(Citation: Cybereason Cobalt Kitty 2017)

Woody RAT

Woody RAT can create a suspended notepad process and write shellcode to delete a file into the suspended process using `NtWriteVirtualMemory`.(Citation: MalwareBytes WoodyRAT Aug 2022)

Azorult

Azorult can decrypt the payload into memory, create a new suspended process of itself, then inject a decrypted payload to the new process and resume new process execution.(Citation: Unit42 Azorult Nov 2018)

Patchwork

A Patchwork payload uses process hollowing to hide the UAC bypass vulnerability exploitation inside svchost.exe.(Citation: Cymmetria Patchwork)

QakBot

QakBot can use process hollowing to execute its main payload.(Citation: ATT QakBot April 2021)

Cobalt Strike

Cobalt Strike can use process hollowing for execution.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: Cobalt Strike Manual 4.3 November 2020)

Lokibot

Lokibot has used process hollowing to inject itself into legitimate Windows process.(Citation: Infoblox Lokibot January 2019)(Citation: Talos Lokibot Jan 2021)

Snip3

Snip3 can use RunPE to execute malicious payloads within a hollowed Windows process.(Citation: Morphisec Snip3 May 2021)(Citation: Telefonica Snip3 December 2021)

Bandook

Bandook has been launched by starting iexplore.exe and replacing it with Bandook's payload.(Citation: Lookout Dark Caracal Jan 2018)(Citation: EFF Manul Aug 2016)(Citation: CheckPoint Bandook Nov 2020)

Cobalt Strike

Cobalt Strike can use process hollowing for execution.(Citation: Cobalt Strike TTPs Dec 2017)

Raspberry Robin

Raspberry Robin will execute a legitimate process, then suspend it to inject code for a Tor client into the process, followed by resumption of the process to enable Tor client execution.(Citation: TrendMicro RaspberryRobin 2022)

Smoke Loader

Smoke Loader spawns a new copy of c:\windows\syswow64\explorer.exe and then replaces the executable code in memory with malware.(Citation: Malwarebytes SmokeLoader 2016)(Citation: Microsoft Dofoil 2018)

Astaroth

Astaroth can create a new process in a suspended state from a targeted legitimate process in order to unmap its memory and replace it with malicious code.(Citation: Cybereason Astaroth Feb 2019)(Citation: Securelist Brazilian Banking Malware July 2020)

Dtrack

Dtrack has used process hollowing shellcode to target a predefined list of processes from %SYSTEM32%.(Citation: Securelist Dtrack)

TA2541

TA2541 has used process hollowing to execute CyberGate malware.(Citation: Cisco Operation Layover September 2021)

WhisperGate

WhisperGate has the ability to inject its fourth stage into a suspended process created by the legitimate Windows utility `InstallUtil.exe`.(Citation: Cisco Ukraine Wipers January 2022)(Citation: RecordedFuture WhisperGate Jan 2022)

BADNEWS

BADNEWS has a command to download an .exe and use process hollowing to inject it into a new process.(Citation: Forcepoint Monsoon)(Citation: TrendMicro Patchwork Dec 2017)

Clambling

Clambling can execute binaries through process hollowing.(Citation: Trend Micro DRBControl February 2020)

Gootloader

Gootloader can inject its Delphi executable into ImagingDevices.exe using a process hollowing technique.(Citation: Sophos Gootloader)(Citation: SentinelOne Gootloader June 2021)