Process injection via CreateRemoteThread

This TTP will launch a notepad process and then inject shellcode into it. When the shellcode is executed, it will launch a new calc.exe process and crash notepad.
This week, we are releasing 2 TTPs:
  • Process injection via CreateRemoteThread
  • Process injection via UserAPC Queue

Last week's final release for CISA's "2021 Top Malware Strains" advisory looked at MOUSEISLAND.

Process injection via CreateRemoteThread

For this week's TTP Tuesday, we're releasing Windows ABI themed TTPs. These TTPs are centered around process injection techniques. Though well-known and signatured in most EDR, these techniques are still commonly used to load malicious code into another process. We're demonstrating two process injection methods to help you test whether this activity can be observed, detected, or mitigated by security controls in your environment.

Testing

Execute the Process injection via CreateRemoteThread TTP in Operator on each host in your environment.

This TTP will launch a notepad process and then inject shellcode into it. When the shellcode is executed, it will launch a new calc.exe process and crash notepad. This TTP will request a handle to the target process via OpenProcess, allocate a buffer within that target process memory space usingVirtualAllocEx, write the shellcode into the target process using WriteProcessMemory, and finally, execute the injected shellcode via CreateRemoteThread.

Remediation

Process injection can often be normal behavior of Windows applications, but it may be abused with malicious intent. At a minimum, it is essential to ensure your environment logs suspicious process injection events, such as into lsass.exe. Ideally, use Windows Defender or an EDR to detect and block suspicious process injection events.

Process injection via UserAPC Queuing

User-mode asynchronous procedure calls (UserAPC) is another technique malware uses when attempting to inject into a process. The difference with this technique is that instead of creating a remote thread, we queue a user-mode procedure call that contains the shellcode address and a handle to a selected thread. While developing this TTP, Window's Defender did not detect this as malicious.

Testing

Execute the Process injection via UserAPC Queuing TTP in Operator on each host in your environment.

This TTP is similar to the Process injection via CreateRemoteThread TTP. The TTP will launch a notepad process and then run OpenThread to grab a handle to the thread. The thread will be put in a suspended state via SuspendThread. Next, the TTP will allocate memory in the process via VirtualAllocEx, and write shellcode to the process memory via WriteProcessMemory. The TTP then queues an asynchronous procedure call by passing the location of the shellcode and the thread's handle via QueueUserAPC. Finally, ResumeThread is called, which should start calc.exe when the APC is executed.

Remediation

Though these ABI calls may be used for non-malicious purposes, looking for this specific order of ABI calls can help identify malicious behavior. Using an EDR product to notify or deny this behavior can also provide additional protection.

Check out Process injection via UserAPC Queuing

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current

See the latest kill chain and TTP Releases: https://chains.prelude.org

See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu

Reddit: https://www.reddit.com/r/preludeorg/

Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg

Read our blog: https://feed.prelude.org

Watch our live streams: https://www.twitch.tv/preludeorg

Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: https://twitter.com/privateducky

Alex: https://twitter.com/khyberspache

Octavia: https://twitter.com/VVX7

Bart: https://twitter.com/bartimusprimed

Waseem: https://twitter.com/gerbsec

Sam: https://twitter.com/heavenraiza

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.0)
Learn about Operator

TTPs

Process injection via CreateRemoteThread