Process Injection: Внедрение в пустой процесс
Other sub-techniques of Process Injection (12)
Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.
Process hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as CreateProcess
, which includes a flag to suspend the processes primary thread. At this point the process can be unmapped using APIs calls such as ZwUnmapViewOfSection
or NtUnmapViewOfSection
before being written to, realigned to the injected code, and resumed via VirtualAllocEx
, WriteProcessMemory
, SetThreadContext
, then ResumeThread
respectively.(Citation: Leitch Hollowing)(Citation: Elastic Process Injection July 2017)
This is very similar to Thread Local Storage but creates a new process rather than targeting an existing process. This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process hollowing may also evade detection from security products since the execution is masked under a legitimate process.
Примеры процедур |
|
Название | Описание |
---|---|
Gorgon Group |
Gorgon Group malware can use process hollowing to inject one of its trojans into another process.(Citation: Unit 42 Gorgon Group Aug 2018) |
IcedID |
IcedID can inject a Cobalt Strike beacon into cmd.exe via process hallowing.(Citation: DFIR_Quantum_Ransomware) |
Threat Group-3390 |
A Threat Group-3390 tool can spawn `svchost.exe` and inject the payload into that process.(Citation: Nccgroup Emissary Panda May 2018)(Citation: Securelist LuckyMouse June 2018) |
RCSession |
RCSession can launch itself from a hollowed svchost.exe process.(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020) |
Denis |
Denis performed process hollowing through the API calls CreateRemoteThread, ResumeThread, and Wow64SetThreadContext.(Citation: Cybereason Cobalt Kitty 2017) |
Woody RAT |
Woody RAT can create a suspended notepad process and write shellcode to delete a file into the suspended process using `NtWriteVirtualMemory`.(Citation: MalwareBytes WoodyRAT Aug 2022) |
Azorult |
Azorult can decrypt the payload into memory, create a new suspended process of itself, then inject a decrypted payload to the new process and resume new process execution.(Citation: Unit42 Azorult Nov 2018) |
Patchwork |
A Patchwork payload uses process hollowing to hide the UAC bypass vulnerability exploitation inside svchost.exe.(Citation: Cymmetria Patchwork) |
QakBot |
QakBot can use process hollowing to execute its main payload.(Citation: ATT QakBot April 2021) |
Cobalt Strike |
Cobalt Strike can use process hollowing for execution.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: Cobalt Strike Manual 4.3 November 2020) |
Lokibot |
Lokibot has used process hollowing to inject itself into legitimate Windows process.(Citation: Infoblox Lokibot January 2019)(Citation: Talos Lokibot Jan 2021) |
Snip3 |
Snip3 can use RunPE to execute malicious payloads within a hollowed Windows process.(Citation: Morphisec Snip3 May 2021)(Citation: Telefonica Snip3 December 2021) |
Bandook |
Bandook has been launched by starting iexplore.exe and replacing it with Bandook's payload.(Citation: Lookout Dark Caracal Jan 2018)(Citation: EFF Manul Aug 2016)(Citation: CheckPoint Bandook Nov 2020) |
Cobalt Strike |
Cobalt Strike can use process hollowing for execution.(Citation: Cobalt Strike TTPs Dec 2017) |
Raspberry Robin |
Raspberry Robin will execute a legitimate process, then suspend it to inject code for a Tor client into the process, followed by resumption of the process to enable Tor client execution.(Citation: TrendMicro RaspberryRobin 2022) |
Smoke Loader |
Smoke Loader spawns a new copy of c:\windows\syswow64\explorer.exe and then replaces the executable code in memory with malware.(Citation: Malwarebytes SmokeLoader 2016)(Citation: Microsoft Dofoil 2018) |
Astaroth |
Astaroth can create a new process in a suspended state from a targeted legitimate process in order to unmap its memory and replace it with malicious code.(Citation: Cybereason Astaroth Feb 2019)(Citation: Securelist Brazilian Banking Malware July 2020) |
Dtrack |
Dtrack has used process hollowing shellcode to target a predefined list of processes from |
TA2541 |
TA2541 has used process hollowing to execute CyberGate malware.(Citation: Cisco Operation Layover September 2021) |
WhisperGate |
WhisperGate has the ability to inject its fourth stage into a suspended process created by the legitimate Windows utility `InstallUtil.exe`.(Citation: Cisco Ukraine Wipers January 2022)(Citation: RecordedFuture WhisperGate Jan 2022) |
BADNEWS |
BADNEWS has a command to download an .exe and use process hollowing to inject it into a new process.(Citation: Forcepoint Monsoon)(Citation: TrendMicro Patchwork Dec 2017) |
Clambling |
Clambling can execute binaries through process hollowing.(Citation: Trend Micro DRBControl February 2020) |
Gootloader |
Gootloader can inject its Delphi executable into ImagingDevices.exe using a process hollowing technique.(Citation: Sophos Gootloader)(Citation: SentinelOne Gootloader June 2021) |