| ID | E1055 |
| Objective(s) | Defense Evasion, Privilege Escalation |
| Related ATT&CK Techniques | Process Injection (T1055, T1631) |
| Version | 2.0 |
| Created | 1 August 2019 |
| Last Modified | 21 November 2022 |
Malware may execute code in the address space of a separate process.
See ATT&CK: Process Injection (T1055, T1631). Notes on ATT&CK's sub-techniques in the context of [1] are as follows:
| ID | ATT&CK Sub-Technique | Notes |
|---|---|---|
| E1055.001 | Dynamic-link Library Injection | Malware creates a thread using CreateRemoteThread (or NtCreateThreadEx, RtlCreateUserThread) and LoadLibrary. The path to the malware's malicious dynamic-link library (DLL) is written in the virtual address space of another process; the malware ensures the remote process loads it by creating a remote thread in the target process. This is one of the most common process injection methods. Called Classic DLL Injection via CreateRemoteThread and LoadLibrary in [1]. |
| E1055.002 | Portable Executable Injection | Malware copies its malicious code into an existing open process and causes it to execute via shellcode or by calling CreateRemoteThread (instead of passing the address of the LoadLibrary). Called Portable Executable Injection in [1]. |
| E1055.003 | Thread Execution Hijacking | Malware targets an existing thread of a process, avoiding noisy process or thread creations operations. Called Thread Execution Hijacking in [1]. |
| E1055.004 | Asynchronous Procedure Call | Malware may leverage Asynchronous Procedure Calls (APC) to force another thread to execute its code by attaching it to the APC Queue of the target thread (using QueueUserAPC / NtQueueApcThread); also called AtomBombing [3]. Called APC Injection and AtomBombing in [1]. |
| E1055.011 | Extra Window Memory Injection | Malware may inject into Explorer tray window’s extra window memory. Called Extra Window Memory Injection in [1]. |
| E1055.012 | Process Hollowing | Instead of injecting code into a program, malware can upmap (hollow out) legitimate code from memory of a target process, overwriting it with a malicious executable. Called Process Hollowing in [1]. |
Methods not captured by ATT&CK Process Injection sub-techniques are listed below. Note that IAT hooking and inline hooking (aka userland rootkits) are defined as methods under the Hijack Execution Flow behavior.
| Name | ID | Description |
|---|---|---|
| Hook Injection via SetWindowsHooksEx | E1055.m01 | Malware can leverage hooking functionality to have its malicious DLL loaded upon an event getting triggered in a specific thread, which is usually done by calling SetWindowsHookEx to install a hook routine into the hook chain. [1] |
| Injection and Persistence via Registry Modification | E1055.m02 | Malware may insert the location of its malicious library under a registry key (e.g., Appinit_DLL, AppCertDlls, IFEO) to have another process load its library. [1] |
| Injection via Windows Fibers | E1055.m05 | Malware executes shellcode via Windows fibers by converting a thread to a fiber. [5] |
| Injection using Shims | E1055.m03 | Malware may use shims to target an executable (shims are a way of hooking into APIs and targeting specific executables and are provided by Microsoft for backward compatibility, allowing developers to apply program fixes without rewriting code). [1] |
| Patch Process Command Line | E1055.m04 | Malware patches the PEB of a process to spoof the arguments. |
| Name | Date | Method | Description |
|---|---|---|---|
| TrickBot | 2016 | -- | Trojan spyware program that has mainly been used for targeting banking sites. [11] |
| Poison-Ivy | 2005 | -- | After the Poison-Ivy server is running on the target machine, the attacker can use a Windows GUI client to control the target computer. [2] |
| WebCobra | 2018 | -- | Injects minor code into a running process. [12] |
| CryptoWall | 2014 | -- | The malware injects code into a new svchost process [6] |
| Hupigon | 2013 | E1055, E1055.012 | Please see the Hupigon malware page for details. [7] |
| BlackEnergy | 2007 | E1055.m05 | Bypasses UAC using a Shim Database instructing SndVol.exe to execute cmd.exe instead, allowing for elevated execution [8] |
| Stuxnet | 2010 | E1055.001, E1055.m05 | Please see the Stuxnet malware page for details. [9] |
| Netwalker | 2020 | E1055.001 | Netwalker uses reflective DLL loading to inject from memory [10] |
| UP007 Malware Family | 2016 | -- | The malware loads multiple DLLs into memory [4] |
| DNSChanger | 2011 | -- | Attach user process memory (This capa rule had 1 match) [13] |
| Redhip | 2011 | E1055.003 | Inject thread (This capa rule had 1 match) [13] |
[1] Ashkan Hosseini, Ten Process Injection Techniques: A Technical Survey of Common and Trending Process Injection Techniques, July 2017. https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
[2] https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy
[3] https://github.com/LordNoteworthy/al-khaser
[4] https://citizenlab.ca/2016/04/between-hong-kong-and-burma/
[5] https://www.ired.team/offensive-security/code-injection-process-injection/executing-shellcode-with-createfiber
[6] https://news.sophos.com/en-us/2015/12/17/the-current-state-of-ransomware-cryptowall/
[7] https://www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml
[8] https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf
[9] https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en
[10] https://www.trendmicro.com/en_us/research/20/e/netwalker-fileless-ransomware-injected-via-reflective-loading.html
[11] https://www.trendmicro.com/en_us/research/18/k/trickbot-shows-off-new-trick-password-grabber-module.html
[12] https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/
[13] capa v4.0, analyzed at MITRE on 10/12/2022
[14] https://www.cybereason.com/blog/research/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
[15] https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf