Microsoft Windows allows for processes to remotely create threads within other processes of the same privilege level. This functionality is provided via the Windows API CreateRemoteThread. Both Windows and third-party software use this ability for legitimate purposes. For example, the Windows process csrss.exe creates threads in programs to send signals to registered callback routines. Both adversaries and host-based security software use this functionality to inject DLLs, but for very different purposes. An adversary is likely to inject into a program to evade defenses or bypass User Account Control, but a security program might do this to gain increased monitoring of API calls. One of the most common methods of DLL Injection is through the Windows API LoadLibrary.
- Allocate memory in the target program with VirtualAllocEx
- Write the name of the DLL to inject into this program with WriteProcessMemory
- Create a new thread and set its entry point to LoadLibrary using the API CreateRemoteThread.
This behavior can be detected by looking for thread creations across processes, and resolving the entry point to determine the function name. If the function is
LoadLibraryW, then the intent of the remote thread is clearly to inject a DLL. When this is the case, the source process must be examined so that it can be ignored when it is both expected and a trusted process.
|Technique||Tactic||Level of Coverage|
|Process Injection||Defense Evasion||Moderate|
|Bypass User Account Control||Privilege Escalation||Moderate|
Search for remote thread creations that start at LoadLibraryA or LoadLibraryW. Depending on the tool, it may provide additional information about the DLL string that is an argument to the function. If there is any security software that legitimately injects DLLs, it must be carefully whitelisted.
remote_thread = search Thread:RemoteCreate remote_thread = filter (start_function == "LoadLibraryA" or start_function == "LoadLibraryW") remote_thread = filter (src_image_path != "C:\Path\To\TrustedProgram.exe") output remote_thread
Data Model References