Last week's final release for CISA's "2021 Top Malware Strains" advisory looked at MOUSEISLAND.
For this week's TTP Tuesday, we're releasing Windows ABI themed TTPs. These TTPs are centered around process injection techniques. Though well-known and signatured in most EDR, these techniques are still commonly used to load malicious code into another process. We're demonstrating two process injection methods to help you test whether this activity can be observed, detected, or mitigated by security controls in your environment.
Execute the Process injection via CreateRemoteThread
TTP in Operator on each host in your environment.
This TTP will launch a notepad process and then inject shellcode into it. When the shellcode is executed, it will launch a new calc.exe
process and crash notepad. This TTP will request a handle to the target process via OpenProcess
, allocate a buffer within that target process memory space usingVirtualAllocEx
, write the shellcode into the target process using WriteProcessMemory
, and finally, execute the injected shellcode via CreateRemoteThread
.
Process injection can often be normal behavior of Windows applications, but it may be abused with malicious intent. At a minimum, it is essential to ensure your environment logs suspicious process injection events, such as into lsass.exe. Ideally, use Windows Defender or an EDR to detect and block suspicious process injection events.
User-mode asynchronous procedure calls (UserAPC) is another technique malware uses when attempting to inject into a process. The difference with this technique is that instead of creating a remote thread, we queue a user-mode procedure call that contains the shellcode address and a handle to a selected thread. While developing this TTP, Window's Defender did not detect this as malicious.
Execute the Process injection via UserAPC Queuing
TTP in Operator on each host in your environment.
This TTP is similar to the Process injection via CreateRemoteThread
TTP. The TTP will launch a notepad process and then run OpenThread
to grab a handle to the thread. The thread will be put in a suspended state via SuspendThread
. Next, the TTP will allocate memory in the process via VirtualAllocEx
, and write shellcode to the process memory via WriteProcessMemory
. The TTP then queues an asynchronous procedure call by passing the location of the shellcode and the thread's handle via QueueUserAPC
. Finally, ResumeThread
is called, which should start calc.exe
when the APC is executed.
Though these ABI calls may be used for non-malicious purposes, looking for this specific order of ABI calls can help identify malicious behavior. Using an EDR product to notify or deny this behavior can also provide additional protection.
Check out Process injection via UserAPC Queuing
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg
Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg
David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Octavia: https://twitter.com/VVX7
Bart: https://twitter.com/bartimusprimed
Waseem: https://twitter.com/gerbsec