However, most of the injection behaviors we detect can be classified into just two categories: With 12 sub-techniques, there’s no shortage of ways that an adversary can perform Process Injection. How do adversaries use Process Injection? What was detectable based on process lineage and network connections before process injection now relies on a mix of command-line parameters and binary metadata, to name a couple of telemetry sources. In doing so, they’ve taken a potentially suspicious behavior-PowerShell making an external network connection-and replaced it with a seemingly normal behavior-a browser making an external network connection. However, to avoid this method of detection, an adversary might inject their PowerShell process into a browser.
#Quotprocess injection code
Another added benefit of process injection is that it allows payloads to be launched within the memory space of a running process without needing to drop any malicious code to disk.įor example, you may be able to build a high-fidelity detection analytic that triggers any time PowerShell makes an external network connection. In addition to being stealthy, code can inherit the privilege level of the process it’s injected into and gain access to parts of the operating system that shouldn’t be otherwise available.
Adversaries perform process injection because it allows them to execute malicious activity by proxy through processes that either have information of value (e.g., lsass.exe) or that blend in with benign operating system activity. It’s so versatile that ATT&CK includes 12 sub-techniques of Process Injection. Process Injection is a versatile technique that adversaries leverage to perform a wide range of malicious activity. As such, this section focuses generally on the overall technique and not on any individual sub-techniques. Note: Process Injection comprises multiple sub-techniques, but we largely map our detection analytics to the parent. Why do adversaries use Process Injection?
0 kommentar(er)
