Detecting Process Injection
In this post I will cover Miters Process Injection (T1055) and some ways that you can detect it and prove it's working.
Process Injection
I will not go into to much detail on Process Injection here. If you want a deep dive, I recommend Endgames blog post.
I will, however, give you a brief rundown. Process Injection is when a running process is given code to execute that is not initially apart of that process instructions. This kind of thing is typical in Windows and not always indicative of a bad actor in your system. To help us determine if the process injection is malicious or not, we will be using Sysmon.
Sysmon
If you are not familiar with Sysmon it is a tool for monitoring and logging system activity to the Windows event log. It goes beyond the standard Windows Logging, and for this particular case, it monitors for the creation of remote threads, specifically Sysmon Event Id 8.
You can download the latest version of Sysmon from here.
To install Sysmon run the following.
Sysmon.exe -i
Sysmon Configuration
For Sysmon to work, you need to configure it with rulesets. I will not go into great detail here on how to do so; instead, we will stand on giants' shoulders and "borrow" their work. In this case, that giant is Olaf Hartong. Olaf has done an incredible job creating rulesets for Sysmon. You can find his work here. The rule set we are going to use its the following.
<Sysmon schemaversion="4.1">
<EventFiltering>
<CreateRemoteThread onmatch="include">
<StartFunction name="technique_id=T1055,technique_name=Process Injection" condition="contains">LoadLibrary</StartFunction>
<TargetImage name="technique_id=T1055,technique_name=Process Injection" condition="is">C:\Windows\System32\rundll32.exe</TargetImage>
<TargetImage name="technique_id=T1055,technique_name=Process Injection" condition="is">C:\Windows\System32\svchost.exe</TargetImage>
<TargetImage name="technique_id=T1055,technique_name=Process Injection" condition="is">C:\Windows\System32\sysmon.exe</TargetImage>
</CreateRemoteThread>
</EventFiltering>
</Sysmon>
Note: The above ruleset should work on Sysmon version 8 and above.
Looking at the rule set above, we can see that some conditions need to be met before an event is created. For example condition="contains"
and condition="is"
are the two we see here. This says that, for an event to be created the start function needs to contain LoadLibrary
and the target image needs to be one of the following, rundll32.exe
, svchost.exe
, or sysmon.exe
.
Copy the config to a file and name it sysmon_comfig.xml
. We can now load this config into Sysmon with the following command.
Sysmon.exe -c sysmon_comfig.xml
Testing
Now that we have Sysmon installed and the config file loaded, we can test that things are working with a tool called injectAllTheThings. Now, I admit this tool is not for beginners. You will need to install Visual Studio and build it yourself; however, it is worth it.
Once you have injectAllTheThings built, we can begin to test our Sysmon config confirming that Process Injection is detected to do this run the following.
.\injectAllTheThings_64.exe -t 1 svchost.exe .\dllmain_64.dll
If everything went well you should see a Windows Sysmon Event Id 8 created in the windows logs.