Dynamic-link Library Injection

Information

• Name: Dynamic-link Library Injection

• ID: T1055.001

• Tactics: TA0005, TA0004

• Technique: T1055

Introduction

Dynamic-link Library (DLL) Injection (T1055.001) is a sub-technique of the MITRE ATT&CK framework categorized under Process Injection (T1055). It involves the injection of malicious DLL files into legitimate running processes to execute arbitrary code within their context. By leveraging DLL injection, attackers can evade detection, escalate privileges, and maintain persistence within compromised environments. This technique exploits the dynamic loading capability of Windows operating systems, allowing attackers to execute malicious payloads within trusted processes.

Deep Dive Into Technique

DLL injection involves inserting a malicious DLL into the address space of a legitimate process, causing the process to execute malicious code. Typically, attackers follow these steps:

1. Identify Target Process:

   • Attackers choose legitimate processes that are less likely to raise suspicion, such as explorer.exe, svchost.exe, or browser processes.

2. DLL Preparation:

   • Attackers craft or modify DLL files containing malicious payloads designed to execute specific tasks, such as keylogging, data exfiltration, or command-and-control (C2) communication.

3. Injection Techniques:

   • Classic DLL Injection: Uses Windows API functions such as OpenProcess(), VirtualAllocEx(), WriteProcessMemory(), and CreateRemoteThread() to load the malicious DLL remotely into a target process.

   • SetWindowsHookEx Injection: Exploits the Windows hooking mechanism to inject DLLs into processes that receive specific Windows messages.

   • Reflective DLL Injection: Loads DLLs directly into memory without touching the disk, bypassing detection mechanisms that monitor file system activity.

   • Process Hollowing: Starts a legitimate process, suspends it, replaces its code with malicious DLL code, and then resumes execution.

4. Execution and Persistence:

   • Upon successful injection, the malicious DLL executes within the trusted process context, inheriting its privileges and avoiding suspicion.

   • Attackers may use DLL injection to maintain persistence by injecting malicious DLLs into processes that run at startup or continuously in the background.

When this Technique is Usually Used

DLL injection is commonly used across various stages of the cyber kill chain:

• Initial Access and Execution:

  • Attackers inject DLLs into legitimate processes immediately after gaining initial access to execute payloads stealthily.

• Privilege Escalation:

  • Injecting DLLs into privileged processes allows attackers to escalate privileges and execute commands with higher permissions.

• Defense Evasion:

  • Injecting malicious code into trusted processes helps evade antivirus detection, endpoint protection tools, and behavioral analysis.

• Persistence:

  • Injecting DLLs into long-running or auto-start processes ensures continued access even after system reboots or user logoffs.

• Credential Access and Data Exfiltration:

  • Malicious DLLs injected into browser processes or authentication processes can capture credentials, sensitive data, and facilitate data exfiltration.

How this Technique is Usually Detected

Detecting DLL injection typically involves monitoring process behaviors, API calls, memory activities, and DLL loads:

• Behavioral Monitoring:

  • Detect unusual process behavior, such as unexpected DLL loads, thread creations, or memory allocations.

  • Tools like Sysmon, Process Monitor, and Endpoint Detection and Response (EDR) solutions can track suspicious actions.

• API Hooking and Monitoring:

  • Monitor Windows API calls (CreateRemoteThread(), WriteProcessMemory(), SetWindowsHookEx(), LoadLibrary()) that are commonly used for DLL injection.

• Memory Scanning:

  • Regularly scan process memory for anomalies, unusual executable code, or memory regions marked as executable but not backed by known DLL files.

• DLL Load Monitoring:

  • Track events of DLL loads and identify unexpected or unsigned DLL files loaded into processes.

  • Audit and analyze DLL load events via Windows Event Logs or Sysmon Event ID 7 (Image Loaded).

• Indicators of Compromise (IoCs):

  • Suspicious DLL file paths, unusual DLL names, unsigned DLLs.

  • Unusual parent-child process relationships, such as unexpected processes spawning threads in unrelated processes.

  • Abnormal network activity originating from trusted processes.

Why it is Important to Detect This Technique

Detecting DLL injection is critical due to its significant potential impact on system security and organizational operations:

• Stealth and Evasion:

  • DLL injection allows attackers to operate covertly, bypassing traditional antivirus and endpoint protection tools, making detection and remediation challenging.

• Privilege Escalation:

  • Attackers can escalate privileges by injecting malicious DLLs into privileged processes, gaining administrative rights, and compromising critical systems.

• Persistence:

  • Malicious DLL injection facilitates long-term persistence, enabling attackers to maintain continuous access and control over compromised systems.

• Credential Theft and Data Exfiltration:

  • Injected DLLs can capture sensitive credentials, financial information, intellectual property, and other confidential data, leading to severe data breaches and financial loss.

• System Stability and Integrity:

  • Injecting malicious code into critical system processes can cause instability, crashes, or performance degradation, negatively affecting business operations and user productivity.

Early detection and prompt response to DLL injection can significantly reduce the attacker's dwell time, limit damage, and prevent further compromise of the organizational infrastructure.

Examples

Real-world examples of DLL injection attacks and tools include:

• Cobalt Strike Framework:

  • Frequently used by advanced persistent threat (APT) groups and ransomware operators.

  • Implements Reflective DLL Injection to load payloads directly into memory without touching disk.

• Dridex Banking Trojan:

  • Injects malicious DLLs into browser processes to steal online banking credentials, perform fraudulent transactions, and exfiltrate data.

• TrickBot Malware:

  • Uses DLL injection to embed malicious payloads into legitimate Windows processes, achieving persistence and data harvesting.

• APT29 (Cozy Bear):

  • Known for deploying sophisticated DLL injection techniques, including process hollowing and reflective DLL injection, to evade detection and maintain persistence.

• Meterpreter (Metasploit Framework):

  • Utilizes DLL injection capabilities, allowing attackers to execute payloads stealthily within legitimate processes.

In these scenarios, attackers utilized DLL injection to achieve stealth, evade defenses, escalate privileges, and maintain persistence, resulting in significant security breaches, financial losses, and reputational damage to targeted organizations.