Last week's final release for CISA's "2021 Top Malware Strains" advisory looked at MOUSEISLAND.
For this week's TTP Tuesday, we're releasing Windows ABI themed TTPs. These TTPs are centered around process injection techniques. Though well-known and signatured in most EDR, these techniques are still commonly used to load malicious code into another process. We're demonstrating two process injection methods to help you test whether this activity can be observed, detected, or mitigated by security controls in your environment.
Process injection via CreateRemoteThread TTP in Operator on each host in your environment.
This TTP will launch a notepad process and then inject shellcode into it. When the shellcode is executed, it will launch a new
calc.exe process and crash notepad. This TTP will request a handle to the target process via
OpenProcess, allocate a buffer within that target process memory space using
VirtualAllocEx, write the shellcode into the target process using
WriteProcessMemory, and finally, execute the injected shellcode via
Process injection can often be normal behavior of Windows applications, but it may be abused with malicious intent. At a minimum, it is essential to ensure your environment logs suspicious process injection events, such as into lsass.exe. Ideally, use Windows Defender or an EDR to detect and block suspicious process injection events.
User-mode asynchronous procedure calls (UserAPC) is another technique malware uses when attempting to inject into a process. The difference with this technique is that instead of creating a remote thread, we queue a user-mode procedure call that contains the shellcode address and a handle to a selected thread. While developing this TTP, Window's Defender did not detect this as malicious.
Process injection via UserAPC Queuing TTP in Operator on each host in your environment.
This TTP is similar to the
Process injection via CreateRemoteThread TTP. The TTP will launch a notepad process and then run
OpenThread to grab a handle to the thread. The thread will be put in a suspended state via
SuspendThread. Next, the TTP will allocate memory in the process via
VirtualAllocEx, and write shellcode to the process memory via
WriteProcessMemory. The TTP then queues an asynchronous procedure call by passing the location of the shellcode and the thread's handle via
ResumeThread is called, which should start
calc.exe when the APC is executed.
Though these ABI calls may be used for non-malicious purposes, looking for this specific order of ABI calls can help identify malicious behavior. Using an EDR product to notify or deny this behavior can also provide additional protection.
Check out Process injection via UserAPC Queuing
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg