kras99 - stock.adobe.com
How to prevent and mitigate process injection
Process injection is a defense evasion technique that helps attackers hide from enterprise security systems. Learn how it works and how to mitigate it.
Process injection is a technique used to inject malicious code into running processes. Because it evades detection techniques, innocent processes run the malicious injected code, unknowingly infecting the systems. A type of arbitrary code execution, process injection enables attackers to infiltrate systems, access networks and resources, and potentially elevate their privileges.
Let's take a deeper look at how process injection fits into an attack, specific process injection techniques and how to prevent attacks that use process injection.
What is process injection?
Cyber attacks can generally be divided into two parts. First, attackers breach the perimeter of an organization. This includes techniques such as phishing, password guessing and exploiting out-of-date or vulnerable software. The second phase of an attack involves moving around a target's network to escalate privileges and steal or encrypt sensitive data.
During this second phase of an attack, threat actors often face enterprise detection and response systems. They must, therefore, employ an array of techniques, such as process injection, to avoid detection.
Process injection, as mentioned, is a defense evasion technique. Attackers use it to hide the execution of malware code within the address space of a legitimate process. Because it is hidden within a legitimate program, the malicious code is difficult to detect. Process injection relies on the privileges of the legitimate process or program the malicious code is injected into. These legitimate processes or programs are often allowlisted and thus face no further scrutiny. Process injections also evade detection by any antivirus, application control, or endpoint detection and response systems running on the network because the infected processes are viewed as legitimate.
Attackers commonly target processes that are legitimately needed by Windows and run on every system, such as svchost.exe, a shared service process, or rundll32.exe, a binary used to load dynamic-link libraries (DLLs). These processes typically have a higher privilege level than a normal user on a laptop, so attackers target them to gain complete control of the device. Sophisticated attacks may inject malicious code into multiple live processes to segment modules and further obfuscate themselves.
Process injection affects every OS, including Linux, Windows and macOS. Attacks can be broken down into a number of different subtechniques. The Mitre ATT&CK framework highlights the following process injection techniques:
- DLL injection
- portable execution injection
- thread execution hijacking
- ptrace system calls
- proc memory
- extra window memory injection
- process hollowing
- process doppelgänging
- virtual dynamic shared object hijacking
- listplanting
No matter the technique, the end results are the same: The system is compromised, the attack has not been detected and the victim organization cannot isolate the affected machine to prevent attackers from gaining further access to the network.
How to prevent or mitigate process injection
The key to mitigating process injection is prevention and detection during the first phase of an attack. Once attackers are at the second attack phase -- injecting processes with malicious code -- they have already gained access to the network. To prevent attackers from successfully breaching the network, use the following defenses:
- firewalls
- access control
- antimalware software
- SIEM tools
- intrusion prevention systems
Due to the nature and variety of process injection attacks, no one-size-fits-all prevention approach exists. Mitre suggests using endpoint security products that block common process injection behavior. Privileged access management can also limit which processes can be accessed and thus injected with code.
Once process injection has occurred, detection, containment and isolation of the threat are the priority. Although process injection is designed to evade detection, it creates a trail within system logs that can be detected by managed detection and response (MDR) tools and other security systems.
Process injection is just one technique attackers use to evade detection. Correlate event activity across your SIEM, MDR, and other tools and services to detect anomalies and other evidence of intrusion.