Process Injection
Process Injection
One-liner: A defense evasion technique where attackers inject malicious code into legitimate running processes to execute stealthily and evade security controls.
π― What Is It?
Process injection (MITRE ATT&CK T1055) is a method used by adversaries to execute arbitrary code within the address space of a separate, legitimate process. By injecting code into trusted processes (like explorer.exe, svchost.exe), attackers can:
- Evade detection β Security tools may whitelist the target process
- Bypass application whitelisting β Code runs under a trusted process name
- Gain elevated privileges β Inherit permissions of the target process
- Maintain stealth β No separate malicious process visible in Task Manager
π¬ How It Works
Common Injection Techniques
| Technique | Description | MITRE Sub-Technique |
|---|---|---|
| DLL Injection | Load malicious DLL into target process | T1055.001 |
| PE Injection | Inject entire executable into memory | T1055.002 |
| Thread Execution Hijacking | Hijack existing thread's execution | T1055.003 |
| Process Hollowing | Replace legitimate code with malicious code | T1055.012 |
| Thread Local Storage | Abuse TLS callbacks for code execution | T1055.005 |
| NTFS Transaction Hollowing | Use transacted file operations | T1055.013 |
Classic DLL Injection Flow
1. OpenProcess() β Get handle to target process
2. VirtualAllocEx() β Allocate memory in target process
3. WriteProcessMemory() β Write malicious DLL path/code
4. CreateRemoteThread() β Execute code in target process
Process Hollowing Flow
1. CreateProcess() β Start legitimate process (SUSPENDED)
2. NtUnmapViewOfSection() β Hollow out the process image
3. VirtualAllocEx() β Allocate space for malicious code
4. WriteProcessMemory() β Write malicious executable
5. SetThreadContext() β Point entry to malicious code
6. ResumeThread() β Execute the malicious payload
π΅οΈ Detection & Prevention
How to Detect
| Data Source | Detection Method |
|---|---|
| Sysmon Event ID 8 | CreateRemoteThread β Process creates thread in another process |
| Sysmon Event ID 10 | ProcessAccess β Unusual process access with PROCESS_VM_WRITE |
| Sysmon Event ID 1 | Process creation with suspicious parent-child relationships |
| API Monitoring | Calls to VirtualAllocEx, WriteProcessMemory, CreateRemoteThread |
| Memory Analysis | Unbacked executable memory regions (no file on disk) |
KQL Example (from THM Threat Hunting Foothold)
# Hunt for CreateRemoteThread events
host.name: WKSTN-* AND winlog.event_id: 8
Suspicious Indicators
- Non-system processes creating threads in
explorer.exe,svchost.exe - Processes with unusual memory allocations (RWX permissions)
- User-mode process injecting into SYSTEM processes
- Processes loading DLLs from unusual locations (
%TEMP%,%APPDATA%)
How to Prevent / Mitigate
- Credential Guard β Protects LSASS from injection
- Antivirus (AV) with behavior monitoring
- Windows Defender Attack Surface Reduction (ASR) rules
- Code Integrity policies β Block unsigned DLLs
- Network segmentation β Limit lateral movement post-injection
π Common Target Processes
| Process | Why Targeted |
|---|---|
explorer.exe |
Always running, user context, network access |
svchost.exe |
Multiple instances, SYSTEM privileges |
lsass.exe |
Credential access (e.g., Mimikatz) |
spoolsv.exe |
Printer service, often overlooked |
wuauclt.exe |
Windows Update, trusted by default |
π€ Interview Angles
Common Questions
- "What is process injection and why do attackers use it?"
- "How would you detect process injection in your environment?"
- "What's the difference between process hollowing and DLL injection?"
- "Which Sysmon events help detect process injection?"
STAR Story
Situation: EDR flagged unusual activity but couldn't identify the sourceβmalicious behavior appeared to come from
explorer.exe.
Task: Investigate the alert and determine if it was a true positive.
Action: Used Sysmon Event ID 8 (CreateRemoteThread) to identify that a downloadedchrome.exefromC:\Users\...\Downloadshad injected intoexplorer.exe. Correlated with Event ID 11 showing the file was downloaded via browser.
Result: Confirmed process injection attack. Isolated the endpoint, extracted the malicious binary for analysis, and created detection rule for CreateRemoteThread from user-writable directories.
β Best Practices
- Enable Sysmon with configuration capturing Event IDs 8 and 10
- Monitor for unusual parent-child process relationships
- Alert on CreateRemoteThread from non-system processes
- Use memory forensics for advanced injection detection
- Implement behavioral detection alongside signature-based
β Common Misconceptions
- "Only malware uses these APIs" β Legitimate software (debuggers, AV) also use them; context matters
- "Process injection always leaves file artifacts" β Many techniques are fileless (memory-only)
- "Sysmon catches all injection" β Some advanced techniques evade standard Sysmon configs
π Related Concepts
- Defense Evasion
- MITRE ATT&CK
- Sysmon
- Living off the Land (LOLBAS)
- Persistence (Cyber Security)
- Malware Analysis
- Threat Hunting
π References
- MITRE ATT&CK T1055: https://attack.mitre.org/techniques/T1055/
- Elastic Detection Rules for Process Injection
- Red Canary Threat Detection Report