Potential Process Injection via PowerShell

This detection focuses on identifying PowerShell scripts that combine specific Win32 API calls, often used in process injection and in-memory payload execution techniques. Attackers use PowerShell, a ubiquitous scripting language in Windows environments, to inject malicious code into other processes, bypassing traditional security controls. The rule specifically targets API combinations related to memory allocation (VirtualAlloc, VirtualAllocEx), memory protection (VirtualProtect), process access (OpenProcess), dynamic library loading (LdrLoadDll, LoadLibrary), and thread manipulation (CreateRemoteThread, NtCreateThreadEx). The rule excludes script activity originating from within Microsoft Defender Advanced Threat Protection directories, reducing false positives. This technique is valuable to attackers seeking to evade detection and execute malicious code stealthily. The detection logic is based on observing specific API combinations, commonly seen in tools like Empire.

Attack Chain

1. An attacker gains initial access to a Windows system, possibly through phishing or exploiting a vulnerability.
2. The attacker uses PowerShell to execute a malicious script.
3. The PowerShell script uses OpenProcess to gain access to a target process.
4. The script then uses VirtualAllocEx to allocate memory within the target process.
5. WriteProcessMemory is used to write malicious code into the allocated memory.
6. The script uses CreateRemoteThread or NtCreateThreadEx to create a new thread within the target process, pointing to the injected code.
7. The injected code executes within the context of the target process.
8. The attacker achieves their objective, such as credential dumping or establishing persistence.

Impact

Successful process injection allows attackers to execute arbitrary code within the context of another process, often a legitimate one. This can lead to credential theft, privilege escalation, data exfiltration, or the deployment of ransomware. The impact is significant, as it allows attackers to bypass security controls and operate stealthily. While the number of victims is unknown, the widespread use of PowerShell makes this a potentially widespread threat. Successful attacks can compromise sensitive data, disrupt business operations, and damage an organization’s reputation.

Recommendation

• Enable PowerShell Script Block Logging to capture the necessary events (4104) for this detection to function as described in the setup instructions https://ela.st/powershell-logging-setup.
• Deploy the provided Sigma rules to your SIEM to detect suspicious PowerShell scripts indicative of process injection. Tune the rules based on your environment’s baseline activity.
• Investigate any alerts generated by these rules, focusing on the reconstructed script content, target process, and execution context. Refer to the investigation guide section for triage steps.
• Implement application control policies to restrict the execution of unauthorized PowerShell scripts.
• Monitor PowerShell execution for suspicious API calls related to process injection, as described in the rule’s query.