Last week we released 2 TTPs that used different techniques for process injection.
Perun's Fart? Fart in Swedish means speed and has nothing to do with another meaning that might immediately come to mind for most. The Perun's Fart unhooking technique spawns a new process in a suspended state and copies clean ntdll
into the process to run without an EDR intervening. This technique is about the race condition between a newly spawned process and a security product, such as an EDR, latching its hooks to intercept API calls of the process to determine if the process is malicious or benign.
Execute the API unhooking via Perun's Fart
TTP in Operator on each host in your environment.
This TTP will launch a notepad process in a suspended state using CreateProcessA
and the dwCreationFlags
parameter set as CREATE_SUSPENDED
. The base address for ntdll.dll is obtained by inspecting the Process Environment Block (PEB)
of the suspended process. VirtualAlloc
is used to allocate memory for the clean copy of ntdll.dll
. The Export Directory
is obtained for both versions of ntdll.dll
using GetImageExportDirectory
. Syscall stubs are extracted from NT functions from the clean ntdll.dll
(suspended notepad.exe process) and are copied to the currently running process. Now that ntdll
is unhooked, the suspended notepad process is terminated, and shellcode is executed in the current process to launch calc.exe
. Microsoft Defender, or any AV/EDR, may trigger immediately once this payload touches the disk.
This technique is hard to catch but logging process creation in a suspended state may give some visibility into when this occurs. Some EDRs may actively scan processes for artifacts related to unhooking techniques or for other malicious indicators.
Thread Hijacking is another technique used in process injection. The main difference in this technique is that a suspended thread instruction pointer is updated to the location of the shellcode, which causes the thread to execute the shellcode when it is resumed.
Execute the Process injection via Thread Hijacking
TTP in Operator on each host in your environment.
This TTP will begin by starting notepad.exe
and allocating memory inside this newly created process. The TTP will then copy the shellcode into this allocated memory. Next, the TTP suspends a thread in the running process and creates a modified thread context which updates the instruction pointer address to the shellcode location. The TTP then assigns this modified context to the thread's current context. Finally, the TTP will resume the thread, resulting in the shellcode being executed.
Like all process injection techniques, identifying the difference between a legitimate and malicious process injection will depend on the injecting process, the order of these injection events, and the injected process. These three things should provide insight into the type of process injection and whether or not it was malicious. Some EDRs may actively scan processes for artifacts related to unhooking techniques or for other malicious indicators.
Check out Process injection via Thread Hijacking
.
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg
Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg
David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Octavia: https://twitter.com/VVX7
Bart: https://twitter.com/bartimusprimed
Waseem: https://twitter.com/gerbsec