Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.
DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as <code>VirtualAllocEx</code> and <code>WriteProcessMemory</code>, then invoked with <code>CreateRemoteThread</code> (which calls the <code>LoadLibrary</code> API responsible for loading the DLL). (Citation: Endgame Process Injection July 2017)
Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of <code>LoadLibrary</code>).(Citation: Endgame HuntingNMemory June 2017)(Citation: Endgame Process Injection July 2017)
Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
AC-6 | Least Privilege | Protects | T1055.001 | Dynamic-link Library Injection |
SC-18 | Mobile Code | Protects | T1055.001 | Dynamic-link Library Injection |
SC-7 | Boundary Protection | Protects | T1055.001 | Dynamic-link Library Injection |
SI-2 | Flaw Remediation | Protects | T1055.001 | Dynamic-link Library Injection |
SI-3 | Malicious Code Protection | Protects | T1055.001 | Dynamic-link Library Injection |
SI-4 | System Monitoring | Protects | T1055.001 | Dynamic-link Library Injection |
alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1055.001 | Dynamic-link Library Injection |
azure_defender_for_app_service | Azure Defender for App Service | technique_scores | T1055.001 | Dynamic-link Library Injection |