{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/pinvoke/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PowerShell","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["process-injection","powershell","pinvoke","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis detection identifies PowerShell scripts leveraging the P/Invoke (Platform Invoke) technology to perform process injection. P/Invoke allows managed code (like PowerShell) to call unmanaged functions exported from DLLs, including critical Windows API functions. Attackers use this to inject malicious code into legitimate processes for evasion and persistence. The detection focuses on identifying specific API chains commonly used in process injection techniques, such as allocating memory in a target process (VirtualAlloc), writing malicious code into the allocated memory (WriteProcessMemory), and executing the injected code (CreateRemoteThread). This activity is often associated with malware deployment, privilege escalation, and defense evasion. The detection logic is designed to identify these API chains either at the compile phase using Add-Type or during the execution phase, alerting on suspicious PowerShell behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003ePowerShell is invoked to execute a malicious script.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script uses Add-Type and DllImport to declare external functions from Windows DLLs, including kernel32.dll and ntdll.dll.\u003c/li\u003e\n\u003cli\u003eThe script uses functions such as OpenProcess to gain a handle to a target process.\u003c/li\u003e\n\u003cli\u003eVirtualAllocEx is called to allocate memory within the target process.\u003c/li\u003e\n\u003cli\u003eWriteProcessMemory is used to write malicious code into the allocated memory region of the target process.\u003c/li\u003e\n\u003cli\u003eCreateRemoteThread is called to create a new thread within the target process, pointing to the injected code.\u003c/li\u003e\n\u003cli\u003eThe injected code executes within the context of the target process, achieving code execution and potential privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful process injection allows attackers to execute arbitrary code within the context of a trusted process, bypassing security controls and potentially gaining elevated privileges. This can lead to data theft, system compromise, or further propagation within the network. The use of PowerShell and P/Invoke makes detection more challenging, as the activity can blend in with legitimate system administration tasks. A successful attack could lead to the deployment of a VIP Keylogger or other malware, as noted in the provided references.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging (Event ID 4104) to provide the necessary data for detection (data_source).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePowerShell PInvoke Process Injection\u003c/code\u003e to your SIEM and tune the rule to your environment (rules).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the specific API chains identified in the \u003ccode\u003edetection\u003c/code\u003e section of the rule.\u003c/li\u003e\n\u003cli\u003eReview PowerShell execution policies and restrict the execution of unsigned scripts to reduce the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:23:00Z","date_published":"2024-01-03T18:23:00Z","id":"/briefs/2024-01-powershell-pinvoke-process-injection/","summary":"This analytic detects PowerShell code that uses P/Invoke to call Windows API functions associated with process injection, such as VirtualAlloc, WriteProcessMemory, and CreateRemoteThread, indicating potential malicious activity.","title":"PowerShell P/Invoke Process Injection API Chain Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-pinvoke-process-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PowerShell"],"_cs_severities":["high"],"_cs_tags":["process-injection","powershell","pinvoke"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis brief focuses on the detection of PowerShell scripts utilizing Platform Invoke (P/Invoke) to perform process injection. P/Invoke allows managed code (PowerShell) to call native, unmanaged code (Windows API functions). Adversaries leverage this capability to inject malicious code into other processes, bypassing traditional defenses. This activity is identified through PowerShell script block logging (Event ID 4104). The detection strategy covers both the compile phase (detecting inline .NET class definitions with DllImport declarations) and the execution phase (detecting static method invocation patterns using ::MethodName syntax with execution context indicators). This ensures broad coverage, even when pre-compiled assemblies are loaded. The techniques detected cover a wide range of process injection methods, increasing the likelihood of detection against various attack vectors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker executes a PowerShell script containing malicious code designed for process injection.\u003c/li\u003e\n\u003cli\u003eThe script uses \u003ccode\u003eAdd-Type -TypeDefinition\u003c/code\u003e to define a .NET class inline, embedding C# source code that includes \u003ccode\u003e[DllImport]\u003c/code\u003e declarations for Windows API functions.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDllImport\u003c/code\u003e attribute specifies the native DLL (e.g., kernel32.dll, ntdll.dll) and the function name to import.\u003c/li\u003e\n\u003cli\u003eThe script declares external functions like \u003ccode\u003eVirtualAlloc\u003c/code\u003e, \u003ccode\u003eWriteProcessMemory\u003c/code\u003e, \u003ccode\u003eCreateRemoteThread\u003c/code\u003e, \u003ccode\u003eNtCreateSection\u003c/code\u003e, and \u003ccode\u003eNtMapViewOfSection\u003c/code\u003e using \u003ccode\u003eextern \u0026lt;ReturnType\u0026gt; \u0026lt;FunctionName\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe script uses static method invocation (e.g., \u003ccode\u003e[IntPtr]::Zero\u003c/code\u003e, \u003ccode\u003e[Marshal]::Copy\u003c/code\u003e) to call the declared functions.\u003c/li\u003e\n\u003cli\u003eThe script allocates memory in the target process using \u003ccode\u003eVirtualAllocEx\u003c/code\u003e or \u003ccode\u003eNtAllocateVirtualMemory\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious code (shellcode or DLL) is written to the allocated memory using \u003ccode\u003eWriteProcessMemory\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA new thread is created in the target process to execute the injected code using \u003ccode\u003eCreateRemoteThread\u003c/code\u003e or \u003ccode\u003eRtlCreateUserThread\u003c/code\u003e. Alternatively, APC injection uses \u003ccode\u003eQueueUserAPC\u003c/code\u003e to queue an Asynchronous Procedure Call in the target process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful process injection allows attackers to execute arbitrary code within the context of a legitimate process. This can lead to privilege escalation, credential theft, and persistence. Process injection can also be used to bypass security software and gain unauthorized access to sensitive data. This technique has been observed in malware campaigns associated with VIP Keylogger and similar threats, leading to data exfiltration and system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell script block logging (Event ID 4104) to capture the necessary data for detection.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect malicious PowerShell scripts using P/Invoke for process injection.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on processes that exhibit suspicious API call patterns.\u003c/li\u003e\n\u003cli\u003eReview and tune the Sigma rules based on your environment to minimize false positives and ensure accurate detection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-powershell-pinvoke-injection/","summary":"This brief details detection of PowerShell scripts leveraging P/Invoke API calls to perform process injection, covering techniques like self-injection, remote thread injection, APC injection, thread-context hijacking, process hollowing, section-map injection, reflective DLL loading, and DLL injection.","title":"PowerShell P/Invoke API Chain for Process Injection","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-pinvoke-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Pinvoke","version":"https://jsonfeed.org/version/1.1"}