T1055.001: Dynamic-link Library Injection

Data from MITRE ATT&CK®:

Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.

DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). (Citation: Elastic Process Injection July 2017)

Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary).(Citation: Elastic HuntingNMemory June 2017)(Citation: Elastic Process Injection July 2017)

Another variation of this method, often referred to as Module Stomping/Overloading or DLL Hollowing, may be leveraged to conceal injected code within a process. This method involves loading a legitimate DLL into a remote process then manually overwriting the module's AddressOfEntryPoint before starting a new thread in the target process.(Citation: Module Stomping for Shellcode Injection) This variation allows attackers to hide malicious injected code by potentially backing its execution with a legitimate DLL file on disk.(Citation: Hiding Malicious Code with Module Stomping)

Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process.

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Behavior Prevention on Endpoint

Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.

Process Access (Process)

Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)

Process Modification (Process)

Changes made to a process, or its contents, typically to write and/or execute code in the memory of the target process (ex: Sysmon EID 8)

Module Load (Module)

Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)

OS API Execution (Process)

Operating system function/method calls executed by a process

Process Metadata (Process)

Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.

WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique

windows

Process Injection via mavinject.exe

windows

HackTool - Potential CobaltStrike Process Injection

windows create remote thread

Mavinject Inject DLL Into Running Process

windows process creation

Renamed ZOHO Dctask64 Execution

windows process creation

Potential DLL Injection Or Execution Using Tracker.exe

windows process creation

ZOHO Dctask64 Process Injection

windows process creation

Renamed Mavinject.EXE Execution

windows process creation