Hunting for Process Injection and Proactive API Monitoring

T1055.001 — Process Injection: Dynamic-link Library Injection

A common technique used by attackers is injecting malicious code into processes. Process injection is listed as T1055 under the Mitre ATT&CK framework. The sub-technique emulated and detected below is T1055.001.

Task 1. Practice detecting process injection using Memhunter, minjector & Process Hacker 2

Here is a quick overview of Memhunter which will be the main toolset used for task 1:

• It is a standalone binary that is deployed as a windows service.
• It uses a set of memory inspection heuristics and ETW (Event Tracing for Windows) data collection to find footprints left by common injection techniques.
• Forensic information on results gets reported through console or event logs for forwarding.

For further information and reference check out Memhunter at the GitHub repository below.

https://github.com/marcosd4h/memhunter

There will be two parts to this task. First will be dll injection to notepad. Second will be detecting the process injection.

Starting off, Process Hacker 2 and notepad will be ran to determine the PID of notepad. Just a side note, Process Hacker 2 is not necessarily required to obtain the PID as task manager could also be used to find notepad’s PID.

Notepad PID 2808.

As seen above the PID is 2808. This PID will be used to inject a process into notepad. Running cmd.exe as administrator, then changing directories to the Memhunter tool the following command is run to attempt process injection:

minjector.exe -m 1 -s c:\Users\Administrator\Desktop\Tools\memhunter\msimplepayload.dll -t 2808

Injection input and output showing the injection attempt was successful.

Here is the help option ran to show the different options for minjector.exe which shows Injection Modes, Available Options, and a Usage Example. The -h option is always great to run when learning a new tool or just great for reference in general.

Further confirmation of successful dll injection by checking the the modules portion of notepad in process checker 2. Therefore one way of detecting process injection is by simply using Process Hacker to review modules to determine any abnormal modules that should not be running.

An alternative to manual inspection is Memhunter. Below are screenshots of the tool and its options followed by Memhunter being ran and its results. In the results show the detection of a suspicious process (msimplepayload.dll) in Notepad. Thus demonstrating the successful emulation and detection of the process injection attack.

Memhunter -h showing the options and usage examples for better understanding of the tool.

Memhunter.exe -r input to scan for suspicious processes.

Output from Memhunter.exe -r showing the successful detection of the suspicious process (msimplepayload.dll).

Task 2. Practice detecting process injection through proactive API monitoring

ARGHHHHH, matey!

According to the Captain GitHub: “Captain is an endpoint monitoring tool that aims at spotting malicious events through API hooking, improving the process of threat hunting analysis. When a new process is created, Captain will inject a dll into it hooking some Windows API functions.”

Detection capabilities

Captain is cable of detecting :

• Code injection
• Memory dump
• Fileless malware
• Macro execution
• wmic and mshta malwares
• etc

For further information and reference check out Captain at the GitHub repository below.

https://github.com/y3n11/Captain

Begin by executing powershell then running the following command powershell -ep bypass so there are no issues when attempting the following activities. What this command does is start a PowerShell session that allows for running scripts and isolates the lowered permissions to just the current running process. This results in the scripts not being blocked and no warnings or prompts from occurring.

PowerShell -ep bypass which allows the sripts to run without being blocked or receiving warnings.

Change directories to the directory where the toolset is that will be used (Captain) and run the script Monitor.ps1. Now the script is monitoring for newly spawned processes via the WMI (Windows Management Instrumentation).

Monitor.ps1 scripting which monitors newly spawned process via WMI.

Here comes the fun part! In the command prompt under the Memhunter directory minjector.exe will again be used for injection. Just as in Task 1 Process Hacker 2 is used to grab Notepad’s PID (2652). Then the following command will be ran:

minjector.exe -m 5 -s c:\Users\Administrator\Desktop\Tools\Memhunter\reflective_dll.x64.dll -t 2652

The results shown below indicate the attack was successful and was detected with the Monitor.ps1 script.

Command input and output showing successful injection.

Lastly, navigating to the reporting directory at C:\ProgramData\Captain\Reporting which reports events monitored from the Monitor.ps1 script. When searching for the word “Create” shows the process creation in Notepad for the reflective dll injection.

Had the monitor.ps1 script been used in Task 1. Then searching for the function CreateRemoteThread in the reporting document would have helped find the msimplepayload.dll injection. As shown below the Mitre ATT&CK framework mentions that would be one of the functions to look for as indication of dll process injection. Thus further illustrating how useful the Mitre ATT&CK framework can be as a reference when threat hunting.

MITRE is a great reference for what to look for and where.