T1055 Process Injection Mappings

Memory integrity is a Virtualization-based security feature that protects and hardens Windows by running kernel mode code integrity within the isolated virtual environment of VBS (VBS uses Intel VT-x). Memory integrity also restricts kernel memory allocations that could be used to compromise the system. Memory integrity is sometimes referred to as hypervisor-protected code integrity (HVCI). VBS provides an isolated environment that acts as a root-of-trust for the OS and its core components. It is enabled by Intel VT-x, VT-x2 with Extended Page Tables, SMMUs (Intel VT-d) and Secure Boot (Intel Boot Guard). Memory Integrity protects against behaviors that involve exploitation of kernel components including core drivers in memory, changing security configurations and running untrusted code (based on signatures). "HVCI protects modification of the Control Flow Guard (CFG) bitmap for kernel mode drivers. Protects the kernel mode code integrity process that ensures that other trusted kernel processes have a valid certificate." "Hypervisor-protected code integrity introduces a new rule that no kernel memory pages are both writeable and executable, which eliminates an entire category of attacks that dynamically generate code. Additionally, HVCI comes enabled with a code integrity security policy that blocks drivers known to be used in kernel tampering, including Mimikatz, the old vulnerable VBox driver, and the Capcom driver commonly used in rootkits. Ultimately, HVCI provides optimal protection for the kernel against tampering and escalation of privilege attacks. ... With HVCI enabled, attempts to modify the process structures will fail, preventing the protected process flag from being removed, which prevents process memory inspection or module injection into LSA."

CrowdStrike Falcon Hardware Enhanced Exploit Detection (HEED) is an advanced security feature that integrates Intel Processor Trace (Intel PT) technology to provide enhanced visibility into sophisticated attack techniques, including real-time detection of process injection exploits. These attacks often involve adversaries injecting malicious code into legitimate processes to evade detection, escalate privileges, or manipulate system behavior without triggering traditional security defenses. Intel PT offers deep insights into program execution at the hardware level, capturing critical telemetry such as control flow, memory access, and instruction execution in real time. This detailed telemetry helps security teams detect abnormal behaviors, such as unauthorized code injections, suspicious execution paths, and attempts to manipulate legitimate processes. By monitoring these low-level activities, HEED makes it easier to identify exploitation attempts that use process injection techniques to compromise systems or deploy malware. By combining Intel PT’s granular telemetry with advanced detection algorithms, HEED provides a powerful defense against evasive process injection attacks that may bypass conventional security measures. This proactive approach enables organizations to quickly identify and mitigate these sophisticated exploits, strengthening the protection of critical systems and reducing the risk of compromise from targeted cyber threats.

Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), strengthens cybersecurity defenses by enabling faster, real-time detection of Process Injection attacks. This integrated solution enhances CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact. Process Injection is a technique where attackers insert malicious code into the address space of a legitimate process in order to evade detection, gain unauthorized access, or execute arbitrary code under the guise of a trusted process. This method is often used by malware to bypass security measures, maintain persistence, and carry out actions without triggering suspicion. Common techniques include DLL injection, code cave injection, and thread injection, among others. Intel TDT plays a critical role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow. This detailed telemetry allows security teams to detect abnormal behaviors, such as the unauthorized injection of code into legitimate processes, suspicious memory access patterns, or unexpected changes in control flow that could indicate an ongoing Process Injection attack.