Currently viewing ATT&CK v7.2 which was live between July 8, 2020 and October 26, 2020. Learn more about the versioning system or see the live site.
Register to stream the next session of ATT&CKcon Power Hour November 12
TECHNIQUES
PRE-ATT&CK
Priority Definition Planning
Priority Definition Direction
Target Selection
Technical Information Gathering
People Information Gathering
Organizational Information Gathering
Technical Weakness Identification
People Weakness Identification
Organizational Weakness Identification
Adversary OPSEC
Establish & Maintain Infrastructure
Persona Development
Build Capabilities
Test Capabilities
Stage Capabilities
Enterprise
Initial Access
Phishing
Supply Chain Compromise
Valid Accounts
Execution
Command and Scripting Interpreter
Inter-Process Communication
Scheduled Task/Job
System Services
User Execution
Persistence
Account Manipulation
Boot or Logon Autostart Execution
Boot or Logon Initialization Scripts
Create Account
Create or Modify System Process
Event Triggered Execution
Hijack Execution Flow
Office Application Startup
Pre-OS Boot
Scheduled Task/Job
Server Software Component
Traffic Signaling
Valid Accounts
Privilege Escalation
Abuse Elevation Control Mechanism
Access Token Manipulation
Boot or Logon Autostart Execution
Boot or Logon Initialization Scripts
Create or Modify System Process
Event Triggered Execution
Hijack Execution Flow
Process Injection
Scheduled Task/Job
Valid Accounts
Defense Evasion
Abuse Elevation Control Mechanism
Access Token Manipulation
Execution Guardrails
File and Directory Permissions Modification
Hide Artifacts
Hijack Execution Flow
Impair Defenses
Indicator Removal on Host
Masquerading
Modify Authentication Process
Modify Cloud Compute Infrastructure
Obfuscated Files or Information
Pre-OS Boot
Process Injection
Signed Binary Proxy Execution
Signed Script Proxy Execution
Subvert Trust Controls
Traffic Signaling
Trusted Developer Utilities Proxy Execution
Use Alternate Authentication Material
Valid Accounts
Virtualization/Sandbox Evasion
Credential Access
Brute Force
Credentials from Password Stores
Input Capture
Man-in-the-Middle
Modify Authentication Process
OS Credential Dumping
Steal or Forge Kerberos Tickets
Unsecured Credentials
Discovery
Account Discovery
Permission Groups Discovery
Software Discovery
Virtualization/Sandbox Evasion
Lateral Movement
Remote Service Session Hijacking
Remote Services
Use Alternate Authentication Material
Collection
Archive Collected Data
Data from Information Repositories
Data Staged
Email Collection
Input Capture
Man-in-the-Middle
Command and Control
Application Layer Protocol
Data Encoding
Data Obfuscation
Dynamic Resolution
Encrypted Channel
Proxy
Traffic Signaling
Web Service
Exfiltration
Exfiltration Over Alternative Protocol
Exfiltration Over Other Network Medium
Exfiltration Over Physical Medium
Exfiltration Over Web Service
Impact
Data Manipulation
Defacement
Disk Wipe
Endpoint Denial of Service
Network Denial of Service
Mobile
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact
Network Effects
Remote Service Effects
  1. Home
  2. Techniques
  3. Enterprise
  4. Process Injection
  5. Dynamic-link Library Injection

Process Injection: Dynamic-link Library Injection

ID Name
T1055.001 Dynamic-link Library Injection
T1055.002 Portable Executable Injection
T1055.003 Thread Execution Hijacking
T1055.004 Asynchronous Procedure Call
T1055.005 Thread Local Storage
T1055.008 Ptrace System Calls
T1055.009 Proc Memory
T1055.011 Extra Window Memory Injection
T1055.012 Process Hollowing
T1055.013 Process Doppelgänging
T1055.014 VDSO Hijacking

Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.

DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). [1]

Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary).[2][1]

Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process.

ID: T1055.001
Sub-technique of:  T1055
Tactics: Defense Evasion, Privilege Escalation
Platforms: Windows
Permissions Required: User
Data Sources: API monitoring, DLL monitoring, File monitoring, Process monitoring
Defense Bypassed: Anti-virus, Application control
Version: 1.0
Created: 14 January 2020
Last Modified: 20 June 2020

Procedure Examples

Name Description
Aria-body

Aria-body has the ability to inject itself into another process such as rundll32.exe and dllhost.exe.[34]
BlackEnergy

BlackEnergy injects its DLL component into svchost.exe.[7]
Carbon

Carbon has a command to inject code into a process.[26]
ComRAT

ComRAT has injected its orchestrator DLL into explorer.exe. ComRAT has also injected its communications module into the victim's default browser to make C2 connections appear less suspicious as all network connections will be initiated by the browser process.[39]
Derusbi

Derusbi injects itself into the secure shell (SSH) process.[14]
Duqu

Duqu will inject itself into different processes to evade detection. The selection of the target process is influenced by the security software that is installed on the system (Duqu will inject into different processes depending on which security suite is installed on the infected host).[25]
Dyre

Dyre injects into other processes to load modules.[10]
Elise

Elise injects DLL files into iexplore.exe.[17][18]
Emissary

Emissary injects its DLL file into a newly spawned Internet Explorer process.[24]
Emotet

Emotet has been observed injecting in to Explorer.exe and other processes. [28][29][30]
FinFisher

FinFisher injects itself into various processes depending on whether it is low integrity or high integrity.[15][16]
Get2

Get2 has the ability to inject DLLs into processes.[36]
HIDEDRV

HIDEDRV injects a DLL for Downdelph into the explorer.exe process.[23]
Kazuar

If running in a Windows environment, Kazuar saves a DLL to disk that is injected into the explorer.exe process to execute the payload. Kazuar can also be configured to inject and execute within specific processes.[13]
Koadic

Koadic can perform process injection by using a reflective DLL.[3]
Lazarus Group

A Lazarus Group malware sample performs reflective DLL injection.[40]
Matroyshka

Matroyshka uses reflective DLL injection to inject the malicious library and execute the RAT.[27]
MAZE

MAZE has injected the malware DLL into a target process.[32]

Metamorfo

Metamorfo has injected a malicious DLL into the Windows Media Player process (wmplayer.exe).[33]
Netwalker

The Netwalker DLL has been injected reflectively into the memory of a legitimate running process.[35]

PoisonIvy

PoisonIvy can inject a malicious DLL into a process.[8][9]
PowerSploit

PowerSploit contains a collection of CodeExecution modules that inject code (DLL, shellcode) into a process.[5][6]
Pupy

Pupy can migrate into another process using reflective DLL injection.[4]
Putter Panda

An executable dropped onto victims by Putter Panda aims to inject the specified DLL into a process that would normally be accessing the network, including Outlook Express (msinm.exe), Outlook (outlook.exe), Internet Explorer (iexplore.exe), and Firefox (firefox.exe).[43]
Ramsay

Ramsay can use ImprovedReflectiveDLLInjection to deploy components.[38]

RARSTONE

After decrypting itself in memory, RARSTONE downloads a DLL file from its C2 server and loads it in the memory space of a hidden Internet Explorer process. This "downloaded" file is actually not dropped onto the system.[11]
RATANKBA

RATANKBA performs a reflective DLL injection using a given pid.[19][20]
Remsec

Remsec can perform DLL injection.[21]
SDBot

SDBot has the ability to inject a downloaded DLL into a newly created rundll32.exe process.[36]
Socksbot

Socksbot creates a suspended svchost process and injects its DLL into it.[22]
Sykipot

Sykipot injects itself into running instances of outlook.exe, iexplore.exe, or firefox.exe.[12]
TA505

TA505 has been seen injecting a DLL into winword.exe.[46]
TajMahal

TajMahal has the ability to inject DLLs for malicious plugins into running processes.[37]
Tropic Trooper

Tropic Trooper has injected a DLL backdoor into dllhost.exe and svchost.exe.[41][42]
Turla

Turla has used Metasploit to perform reflective DLL injection in order to escalate privileges.[44][45]
ZxShell

ZxShell is injected into a shared SVCHOST process.[31]

Mitigations

Mitigation Description
Behavior Prevention on Endpoint

Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.

Detection

Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.[1]

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

Analyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior.

References

  1. Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.
  2. Desimone, J. (2017, June 13). Hunting in Memory. Retrieved December 7, 2017.
  3. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  4. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  5. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  6. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  7. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  8. FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved November 12, 2014.
  9. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  10. Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.
  11. Camba, A. (2013, February 27). BKDR_RARSTONE: New RAT to Watch Out For. Retrieved January 8, 2016.
  12. Blasco, J. (2011, December 12). Another Sykipot sample likely targeting US federal agencies. Retrieved March 28, 2016.
  13. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  14. Perigaud, F. (2015, December 15). Newcomers in the Derusbi family. Retrieved December 20, 2017.
  15. FinFisher. (n.d.). Retrieved December 20, 2017.
  16. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  17. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  18. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018.
  19. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
  20. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
  21. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  22. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  23. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  1. Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
  2. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  3. ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
  4. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.
  5. Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.
  6. Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019.
  7. US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019.
  8. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  9. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
  10. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  11. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
  12. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
  13. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  14. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  15. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  16. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  17. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
  18. Horejsi, J., et al. (2018, March 14). Tropic Trooper’s New Strategy. Retrieved November 9, 2018.
  19. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  20. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  21. ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018.
  22. Rapid7. (2013, November 26). meterpreter/source/extensions/priv/server/elevate/. Retrieved July 8, 2018.
  23. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.