https://feed.craftedsignal.io/tags/pinvoke/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 18:23:00 +0000https://feed.craftedsignal.io/briefs/2024-01-powershell-pinvoke-process-injection/Wed, 03 Jan 2024 18:23:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-powershell-pinvoke-process-injection/This analytic detects PowerShell code that uses P/Invoke to call Windows API functions associated with process injection, such as VirtualAlloc, WriteProcessMemory, and CreateRemoteThread, indicating potential malicious activity.This detection identifies PowerShell scripts leveraging the P/Invoke (Platform Invoke) technology to perform process injection. P/Invoke allows managed code (like PowerShell) to call unmanaged functions exported from DLLs, including critical Windows API functions. Attackers use this to inject malicious code into legitimate processes for evasion and persistence. The detection focuses on identifying specific API chains commonly used in process injection techniques, such as allocating memory in a target process (VirtualAlloc), writing malicious code into the allocated memory (WriteProcessMemory), and executing the injected code (CreateRemoteThread). This activity is often associated with malware deployment, privilege escalation, and defense evasion. The detection logic is designed to identify these API chains either at the compile phase using Add-Type or during the execution phase, alerting on suspicious PowerShell behavior.

Attack Chain

1. Attacker gains initial access to the system, potentially through phishing or exploiting a vulnerability.
2. PowerShell is invoked to execute a malicious script.
3. The PowerShell script uses Add-Type and DllImport to declare external functions from Windows DLLs, including kernel32.dll and ntdll.dll.
4. The script uses functions such as OpenProcess to gain a handle to a target process.
5. VirtualAllocEx is called to allocate memory within the target process.
6. WriteProcessMemory is used to write malicious code into the allocated memory region of the target process.
7. CreateRemoteThread is called to create a new thread within the target process, pointing to the injected code.
8. The injected code executes within the context of the target process, achieving code execution and potential privilege escalation.

Impact

Successful process injection allows attackers to execute arbitrary code within the context of a trusted process, bypassing security controls and potentially gaining elevated privileges. This can lead to data theft, system compromise, or further propagation within the network. The use of PowerShell and P/Invoke makes detection more challenging, as the activity can blend in with legitimate system administration tasks. A successful attack could lead to the deployment of a VIP Keylogger or other malware, as noted in the provided references.

Recommendation

• Enable PowerShell Script Block Logging (Event ID 4104) to provide the necessary data for detection (data_source).
• Deploy the Sigma rule PowerShell PInvoke Process Injection to your SIEM and tune the rule to your environment (rules).
• Investigate any alerts generated by the Sigma rule, focusing on the specific API chains identified in the detection section of the rule.
• Review PowerShell execution policies and restrict the execution of unsigned scripts to reduce the attack surface.

]]>highadvisoryprocess-injectionpowershellpinvokedefense-evasionhttps://feed.craftedsignal.io/briefs/2024-01-powershell-pinvoke-injection/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-powershell-pinvoke-injection/This brief details detection of PowerShell scripts leveraging P/Invoke API calls to perform process injection, covering techniques like self-injection, remote thread injection, APC injection, thread-context hijacking, process hollowing, section-map injection, reflective DLL loading, and DLL injection.This brief focuses on the detection of PowerShell scripts utilizing Platform Invoke (P/Invoke) to perform process injection. P/Invoke allows managed code (PowerShell) to call native, unmanaged code (Windows API functions). Adversaries leverage this capability to inject malicious code into other processes, bypassing traditional defenses. This activity is identified through PowerShell script block logging (Event ID 4104). The detection strategy covers both the compile phase (detecting inline .NET class definitions with DllImport declarations) and the execution phase (detecting static method invocation patterns using ::MethodName syntax with execution context indicators). This ensures broad coverage, even when pre-compiled assemblies are loaded. The techniques detected cover a wide range of process injection methods, increasing the likelihood of detection against various attack vectors.

Attack Chain

1. The attacker executes a PowerShell script containing malicious code designed for process injection.
2. The script uses Add-Type -TypeDefinition to define a .NET class inline, embedding C# source code that includes [DllImport] declarations for Windows API functions.
3. The DllImport attribute specifies the native DLL (e.g., kernel32.dll, ntdll.dll) and the function name to import.
4. The script declares external functions like VirtualAlloc, WriteProcessMemory, CreateRemoteThread, NtCreateSection, and NtMapViewOfSection using extern <ReturnType> <FunctionName>.
5. The script uses static method invocation (e.g., [IntPtr]::Zero, [Marshal]::Copy) to call the declared functions.
6. The script allocates memory in the target process using VirtualAllocEx or NtAllocateVirtualMemory.
7. The malicious code (shellcode or DLL) is written to the allocated memory using WriteProcessMemory.
8. A new thread is created in the target process to execute the injected code using CreateRemoteThread or RtlCreateUserThread. Alternatively, APC injection uses QueueUserAPC to queue an Asynchronous Procedure Call in the target process.

Impact

Successful process injection allows attackers to execute arbitrary code within the context of a legitimate process. This can lead to privilege escalation, credential theft, and persistence. Process injection can also be used to bypass security software and gain unauthorized access to sensitive data. This technique has been observed in malware campaigns associated with VIP Keylogger and similar threats, leading to data exfiltration and system compromise.

Recommendation

• Enable PowerShell script block logging (Event ID 4104) to capture the necessary data for detection.
• Deploy the provided Sigma rules to your SIEM to detect malicious PowerShell scripts using P/Invoke for process injection.
• Investigate any alerts generated by the Sigma rules, focusing on processes that exhibit suspicious API call patterns.
• Review and tune the Sigma rules based on your environment to minimize false positives and ensure accurate detection.

]]>highadvisoryprocess-injectionpowershellpinvoke