Process Injection is a technique where an attacker forces malicious code to execute inside the memory space of another running process.
Instead of running malware as a separate process (which is easier to detect), the attacker hides inside a legitimate process such as explorer.exe, svchost.exe, or a browser. This technique is heavily documented in MITRE ATT&CK under Defense Evasion and Privilege Escalation tactics.

---

Why Attackers Use Process Injection

• Evade antivirus / EDR detection
• Bypass application whitelisting
• Inherit trusted process privileges
• Maintain stealthy persistence
• Hide network traffic inside trusted apps

---

High-Level Process Injection Flow

General Steps:

1. Identify a target process
2. Obtain a handle with sufficient permissions
3. Allocate memory in the target process
4. Write malicious payload into memory
5. Execute payload via thread manipulation or hijacking

---

Core Process Injection Techniques (Detailed)

---

1. DLL Injection

Most common and well-known technique

How it works:

• Attacker injects a malicious DLL into a running process
• Uses Windows APIs like LoadLibrary

Variants:

• Remote DLL injection
• Reflective DLL injection (fileless)

Common APIs:

• OpenProcess
• VirtualAllocEx
• WriteProcessMemory
• CreateRemoteThread

Detection challenges:

• DLL loads look legitimate
• DLL may never touch disk (reflective)

---

2. PE Injection (Portable Executable Injection)

How it works:

• Injects a full executable image directly into memory
• Manually maps headers and sections

Key Characteristics:

• No LoadLibrary
• Manual relocation & import resolution
• Often called Manual Mapping

Used by:

• Advanced malware
• Red team tools (e.g., Cobalt Strike loaders)

---

3. Shellcode Injection

How it works:

• Small position-independent machine code is injected
• Executes directly from memory

Execution methods:

• CreateRemoteThread
• APC injection
• Thread hijacking

Highly stealthy but unstable if poorly written.

---

4. Process Hollowing (RunPE)

How it works:

1. Start a legitimate process in suspended mode
2. Unmap its original code
3. Replace it with malicious code
4. Resume execution

Looks like:

• svchost.exe running but executing malware

Common targets:

• notepad.exe
• explorer.exe
• svchost.exe

---

5. Thread Hijacking

How it works:

• Suspend an existing thread
• Change instruction pointer (EIP/RIP)
• Resume execution at malicious code

Benefits:

• No new thread creation
• Less suspicious

---

6. APC Injection (Asynchronous Procedure Call)

How it works:

• Queue malicious code to execute when a thread enters alertable state

APIs:

• QueueUserAPC
• NtQueueApcThread

Very stealthy, especially in system processes.

---

7. AtomBombing

Advanced & fileless

How it works:

• Uses Windows Atom Tables to store payload
• Forces another process to retrieve and execute it

Advantages:

• No direct memory writing
• Bypasses many EDR hooks

---

8. Process Doppelgänging / Herpaderping

How it works:

• Abuses Windows Transactional NTFS
• Executes malware from deleted or rolled-back files

Outcome:

• Disk image looks clean
• Memory is malicious

---

Indicators of Compromise (IOCs)

Host-Based IOCs

• Suspicious parent-child relationships
  (e.g., Word → svchost.exe)
• Legitimate process executing abnormal code paths
• RWX memory pages in user processes
• Unexpected thread creation
• DLLs loaded from temp or user directories

Memory IOCs

• Unbacked memory regions
• Executable memory not linked to files
• Mismatched PE headers
• Hollowed process sections

Network IOCs

• Trusted processes making outbound C2 traffic
• Encrypted traffic from unexpected binaries
• DNS anomalies

---

Incident Response (IR) for Process Injection

---

1. Identification

• EDR alerts (memory injection, suspicious API use)
• Behavioral anomalies
• Unusual child processes

---

2. Containment

• Isolate affected endpoint
• Kill injected process (if safe)
• Block associated network traffic
• Disable compromised credentials

---

3. Eradication

• Memory dump analysis
• Remove persistence mechanisms
• Patch exploited vulnerabilities
• Remove malicious DLLs or loaders

---

4. Recovery

• Restore clean system state
• Reset credentials
• Re-enable services
• Monitor for reinfection

---

5. Lessons Learned

• Improve EDR detection rules
• Enable memory protection (AMSI, ASR rules)
• Harden endpoint privilege policies
• Train users on phishing vectors

---

Defensive Controls Against Process Injection

• EDR with behavior-based detection
• Disable unneeded Office macros
• Enable Attack Surface Reduction (ASR) rules
• Enforce least privilege
• Monitor API abuse patterns
• Enable Credential Guard / Exploit Guard

---

Summary

Area	Key Points
Purpose	Stealthy execution & evasion
Techniques	DLL, Shellcode, Hollowing, APC, AtomBombing
Detection	Memory analysis, behavior anomalies
IR Focus	Containment, memory forensics
Defense	EDR, ASR, least privilege