PowerShell P/Invoke API Chain for Process Injection

This brief focuses on the detection of PowerShell scripts utilizing Platform Invoke (P/Invoke) to perform process injection. P/Invoke allows managed code (PowerShell) to call native, unmanaged code (Windows API functions). Adversaries leverage this capability to inject malicious code into other processes, bypassing traditional defenses. This activity is identified through PowerShell script block logging (Event ID 4104). The detection strategy covers both the compile phase (detecting inline .NET class definitions with DllImport declarations) and the execution phase (detecting static method invocation patterns using ::MethodName syntax with execution context indicators). This ensures broad coverage, even when pre-compiled assemblies are loaded. The techniques detected cover a wide range of process injection methods, increasing the likelihood of detection against various attack vectors.

Attack Chain

1. The attacker executes a PowerShell script containing malicious code designed for process injection.
2. The script uses Add-Type -TypeDefinition to define a .NET class inline, embedding C# source code that includes [DllImport] declarations for Windows API functions.
3. The DllImport attribute specifies the native DLL (e.g., kernel32.dll, ntdll.dll) and the function name to import.
4. The script declares external functions like VirtualAlloc, WriteProcessMemory, CreateRemoteThread, NtCreateSection, and NtMapViewOfSection using extern <ReturnType> <FunctionName>.
5. The script uses static method invocation (e.g., [IntPtr]::Zero, [Marshal]::Copy) to call the declared functions.
6. The script allocates memory in the target process using VirtualAllocEx or NtAllocateVirtualMemory.
7. The malicious code (shellcode or DLL) is written to the allocated memory using WriteProcessMemory.
8. A new thread is created in the target process to execute the injected code using CreateRemoteThread or RtlCreateUserThread. Alternatively, APC injection uses QueueUserAPC to queue an Asynchronous Procedure Call in the target process.

Impact

Successful process injection allows attackers to execute arbitrary code within the context of a legitimate process. This can lead to privilege escalation, credential theft, and persistence. Process injection can also be used to bypass security software and gain unauthorized access to sensitive data. This technique has been observed in malware campaigns associated with VIP Keylogger and similar threats, leading to data exfiltration and system compromise.

Recommendation

• Enable PowerShell script block logging (Event ID 4104) to capture the necessary data for detection.
• Deploy the provided Sigma rules to your SIEM to detect malicious PowerShell scripts using P/Invoke for process injection.
• Investigate any alerts generated by the Sigma rules, focusing on processes that exhibit suspicious API call patterns.
• Review and tune the Sigma rules based on your environment to minimize false positives and ensure accurate detection.