Description
Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.
DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). (Citation: Elastic Process Injection July 2017)
Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary).(Citation: Elastic HuntingNMemory June 2017)(Citation: Elastic Process Injection July 2017)
Another variation of this method, often referred to as Module Stomping/Overloading or DLL Hollowing, may be leveraged to conceal injected code within a process. This method involves loading a legitimate DLL into a remote process then manually overwriting the module's AddressOfEntryPoint before starting a new thread in the target process.(Citation: Module Stomping for Shellcode Injection) This variation allows attackers to hide malicious injected code by potentially backing its execution with a legitimate DLL file on disk.(Citation: Hiding Malicious Code with Module Stomping)
Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process.
Platforms
Mitigations (1)
Behavior Prevention on EndpointM1040
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.
Threat Groups (10)
| ID | Group | Context |
|---|---|---|
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) has used Metasploit to perform reflective DLL injection in order to escalate privileges.(Citation: ESET... |
| G1026 | Malteiro | [Malteiro](https://attack.mitre.org/groups/G1026) has injected [Mispadu](https://attack.mitre.org/software/S1122)’s DLL into a process.(Citation: SCIL... |
| G0135 | BackdoorDiplomacy | [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) has dropped legitimate software onto a compromised host and used it to execute malicious DL... |
| G0065 | Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has utilized techniques like reflective DLL loading to write a DLL into memory and load a shell tha... |
| G0024 | Putter Panda | An executable dropped onto victims by [Putter Panda](https://attack.mitre.org/groups/G0024) aims to inject the specified DLL into a process that would... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has the ability to load DLLs via reflective injection by allocating memory using `VirtualAllocEx()`, ... |
| G0032 | Lazarus Group | A [Lazarus Group](https://attack.mitre.org/groups/G0032) malware sample performs reflective DLL injection.(Citation: McAfee Lazarus Resurfaces Feb 201... |
| G0081 | Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has injected a DLL backdoor into dllhost.exe and svchost.exe.(Citation: TrendMicro Tropic Troo... |
| G0092 | TA505 | [TA505](https://attack.mitre.org/groups/G0092) has been seen injecting a DLL into winword.exe.(Citation: IBM TA505 April 2020) |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has injected malicious DLLs into memory with read, write, and execute permissions.(Citation: DH... |
Associated Software (56)
| ID | Name | Type | Context |
|---|---|---|---|
| S1027 | Heyoka Backdoor | Malware | [Heyoka Backdoor](https://attack.mitre.org/software/S1027) can inject a DLL into rundll32.exe for execution.(Citation: SentinelOne Aoqin Dragon June 2... |
| S1018 | Saint Bot | Malware | [Saint Bot](https://attack.mitre.org/software/S1018) has injected its DLL component into `EhStorAurhn.exe`.(Citation: Malwarebytes Saint Bot April 202... |
| S0082 | Emissary | Malware | [Emissary](https://attack.mitre.org/software/S0082) injects its DLL file into a newly spawned Internet Explorer process.(Citation: Lotus Blossom Dec 2... |
| S0125 | Remsec | Malware | [Remsec](https://attack.mitre.org/software/S0125) can perform DLL injection.(Citation: Kaspersky ProjectSauron Technical Analysis) |
| S1066 | DarkTortilla | Malware | [DarkTortilla](https://attack.mitre.org/software/S1066) can use a .NET-based DLL named `RunPe6` for process injection.(Citation: Secureworks DarkTorti... |
| S0089 | BlackEnergy | Malware | [BlackEnergy](https://attack.mitre.org/software/S0089) injects its DLL component into svchost.exe.(Citation: F-Secure BlackEnergy 2014) |
| S0613 | PS1 | Malware | [PS1](https://attack.mitre.org/software/S0613) can inject its payload DLL Into memory.(Citation: BlackBerry CostaRicto November 2020) |
| S0250 | Koadic | Tool | [Koadic](https://attack.mitre.org/software/S0250) can perform process injection by using a reflective DLL.(Citation: Github Koadic) |
| S0055 | RARSTONE | Malware | After decrypting itself in memory, [RARSTONE](https://attack.mitre.org/software/S0055) downloads a DLL file from its C2 server and loads it in the mem... |
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) has the ability to load DLLs via reflective injection.(Citation: Talos Cobalt Strike Septembe... |
| S0461 | SDBbot | Malware | [SDBbot](https://attack.mitre.org/software/S0461) has the ability to inject a downloaded DLL into a newly created rundll32.exe process.(Citation: Proo... |
| S0455 | Metamorfo | Malware | [Metamorfo](https://attack.mitre.org/software/S0455) has injected a malicious DLL into the Windows Media Player process (wmplayer.exe).(Citation: Medi... |
| S0126 | ComRAT | Malware | [ComRAT](https://attack.mitre.org/software/S0126) has injected its orchestrator DLL into explorer.exe. [ComRAT](https://attack.mitre.org/software/S012... |
| S0273 | Socksbot | Malware | [Socksbot](https://attack.mitre.org/software/S0273) creates a suspended svchost process and injects its DLL into it.(Citation: TrendMicro Patchwork De... |
| S1039 | Bumblebee | Malware | The [Bumblebee](https://attack.mitre.org/software/S1039) loader can support the `Dij` command which gives it the ability to inject DLLs into the memor... |
| S0681 | Lizar | Malware | [Lizar](https://attack.mitre.org/software/S0681) has used the PowerKatz plugin that can be loaded into the address space of a PowerShell process throu... |
| S1044 | FunnyDream | Malware | The [FunnyDream](https://attack.mitre.org/software/S1044) FilepakMonitor component can inject into the Bka.exe process using the `VirtualAllocEx`, `Wr... |
| S0449 | Maze | Malware | [Maze](https://attack.mitre.org/software/S0449) has injected the malware DLL into a target process.(Citation: McAfee Maze March 2020)(Citation: Sophos... |
| S0167 | Matryoshka | Malware | [Matryoshka](https://attack.mitre.org/software/S0167) uses reflective DLL injection to inject the malicious library and execute the RAT.(Citation: Cop... |
| S0192 | Pupy | Tool | [Pupy](https://attack.mitre.org/software/S0192) can migrate into another process using reflective DLL injection.(Citation: GitHub Pupy) |
Related CWE Weaknesses
References
- Aliz Hammond. (2019, August 15). Hiding Malicious Code with "Module Stomping": Part 1. Retrieved July 14, 2022.
- Desimone, J. (2017, June 13). Hunting in Memory. Retrieved December 7, 2017.
- Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.
- Red Teaming Experiments. (n.d.). Module Stomping for Shellcode Injection. Retrieved July 14, 2022.
Frequently Asked Questions
What is T1055.001 (Dynamic-link Library Injection)?
T1055.001 is a MITRE ATT&CK technique named 'Dynamic-link Library Injection'. It belongs to the Stealth, Privilege Escalation tactic(s). Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary co...
How can T1055.001 be detected?
Detection of T1055.001 (Dynamic-link Library Injection) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1055.001?
There are 1 documented mitigations for T1055.001. Key mitigations include: Behavior Prevention on Endpoint.
Which threat groups use T1055.001?
Known threat groups using T1055.001 include: Turla, Malteiro, BackdoorDiplomacy, Leviathan, Putter Panda, Kimsuky, Lazarus Group, Tropic Trooper.