Last week we released 2 TTPs that used different techniques for process injection.
Perun's Fart? Fart in Swedish means speed and has nothing to do with another meaning that might immediately come to mind for most. The Perun's Fart unhooking technique spawns a new process in a suspended state and copies clean
ntdll into the process to run without an EDR intervening. This technique is about the race condition between a newly spawned process and a security product, such as an EDR, latching its hooks to intercept API calls of the process to determine if the process is malicious or benign.
API unhooking via Perun's Fart TTP in Operator on each host in your environment.
This TTP will launch a notepad process in a suspended state using
CreateProcessA and the
dwCreationFlags parameter set as
CREATE_SUSPENDED. The base address for ntdll.dll is obtained by inspecting the
Process Environment Block (PEB) of the suspended process.
VirtualAlloc is used to allocate memory for the clean copy of
Export Directory is obtained for both versions of
GetImageExportDirectory. Syscall stubs are extracted from NT functions from the clean
ntdll.dll (suspended notepad.exe process) and are copied to the currently running process. Now that
ntdll is unhooked, the suspended notepad process is terminated, and shellcode is executed in the current process to launch
calc.exe. Microsoft Defender, or any AV/EDR, may trigger immediately once this payload touches the disk.
This technique is hard to catch but logging process creation in a suspended state may give some visibility into when this occurs. Some EDRs may actively scan processes for artifacts related to unhooking techniques or for other malicious indicators.
Thread Hijacking is another technique used in process injection. The main difference in this technique is that a suspended thread instruction pointer is updated to the location of the shellcode, which causes the thread to execute the shellcode when it is resumed.
Process injection via Thread Hijacking TTP in Operator on each host in your environment.
This TTP will begin by starting
notepad.exe and allocating memory inside this newly created process. The TTP will then copy the shellcode into this allocated memory. Next, the TTP suspends a thread in the running process and creates a modified thread context which updates the instruction pointer address to the shellcode location. The TTP then assigns this modified context to the thread's current context. Finally, the TTP will resume the thread, resulting in the shellcode being executed.
Like all process injection techniques, identifying the difference between a legitimate and malicious process injection will depend on the injecting process, the order of these injection events, and the injected process. These three things should provide insight into the type of process injection and whether or not it was malicious. Some EDRs may actively scan processes for artifacts related to unhooking techniques or for other malicious indicators.
Process injection via Thread Hijacking.
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg