MITRE ATT&CK spotlight: Process injection
Introduction
It is no longer a surprise to discover that attackers have changed their attack methodologies and continue to improve the sophistication of their Tactics, Techniques and Procedures (“TTPs”) in a bid to continuously compromise their target. This is because organizations are continuously implementing security controls and leveraging advisories provided by both proprietary and community-driven establishments to improve their security posture.
One of these community-driven efforts is the MITRE ATT&CK Framework, which provides a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK in MITRE ATT&CK stands for Adversarial Tactics, Techniques and Common Knowledge.
In the following sections, we will take a look at process injections: what they are, how attackers leverage process injections in compromising their targets, some of the tools attackers (including ethical hackers) leverage to perform process injections and some countermeasures to detect and prevent process injections.
However, it is important to note that techniques identified in the matrix can be carried out in various ways. As we have seen over the years, attackers are becoming more sophisticated in their approach; hence, blocking a form of technique does not mean your environment is no longer vulnerable to that technique.
Process injection
This technique involves the execution of malicious code and injecting the same into another running valid process, thereby causing the process to execute the code while preventing suspicion and evading detection. This allows the malicious code to run using the process’s memory, resources and elevated privileges. In addition, it allows the code to potentially evade suspicion from security solutions such as host-based firewalls, antivirus, EDRs and so on, as the code is running under a valid process.
Nowadays, there are various methods utilized by attackers and malwares to perform process injection techniques . The following describes some of these techniques.
*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Mosimilolu Odusanya. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/4lLsVRbpgFI/
