Process Injection: Malware Lurking in the Shadows of Legitimate Programs (Part 2)
In part 1 of this series, we delved into a basic understanding of what process injection is and the different mechanisms by which it can be carried out. If you missed that post, you can find it here.
So what do we do about it? How do we detect this kind of activity in an environment and more importantly, how do we stop it?
Characterizing/detecting process injection
So you found the process...
What if a suspicious network callout isn't happening?
- API system calls such as CreateRemoteThread() (referenced in Part 1)
- Anomalous process behavior (processes like explorer.exe, svchost.exe trying to establish outbound comms, or other processes using ports they wouldn't normally use)
- Lack of or unusual command-line arguments
- Process Injection (Red Canary)
- Process Injection Detection with Sysmon (LetsDefend Blog)
- Memory Forensics for Incident Response (Video) (SANS)
- Process Injection Technique Details (MITRE)
- Case Study: Use of Process Injection by Turla Group (ESET)