T1055.002 Portable Executable Injection
Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.
PE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread or additional code (ex: shellcode). The displacement of the injected code does introduce the additional requirement for functionality to remap memory references. 1
Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via PE injection may also evade detection from security products since the execution is masked under a legitimate process.
| Item | Value |
|---|---|
| ID | T1055.002 |
| Sub-techniques | T1055.001, T1055.002, T1055.003, T1055.004, T1055.005, T1055.008, T1055.009, T1055.011, T1055.012, T1055.013, T1055.014, T1055.015 |
| Tactics | TA0005, TA0004 |
| Platforms | Windows |
| Permissions required | User |
| Version | 1.1 |
| Created | 14 January 2020 |
| Last Modified | 18 October 2021 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0030 | Carbanak | Carbanak downloads an executable and injects it directly into a new process.2 |
| G0078 | Gorgon Group | Gorgon Group malware can download a remote access tool, ShiftyBug, and inject into another process.7 |
| S0342 | GreyEnergy | GreyEnergy has a module to inject a PE binary into a remote process.4 |
| S0260 | InvisiMole | InvisiMole can inject its backdoor as a portable executable into a target process.5 |
| S0681 | Lizar | Lizar can execute PE files in the address space of the specified process.3 |
| G0106 | Rocke | Rocke‘s miner, “TermsHost.exe”, evaded defenses by injecting itself into Windows processes, including Notepad.exe.8 |
| S0330 | Zeus Panda | Zeus Panda checks processes on the system and if they meet the necessary requirements, it injects into that process.6 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1040 | Behavior Prevention on Endpoint | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0009 | Process | OS API Execution |
References
-
Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017. ↩
-
Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018. ↩
-
BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022. ↩
-
Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018. ↩
-
Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. ↩
-
Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018. ↩
-
Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018. ↩
-
Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020. ↩