Endpoint detection and response (EDR) systems are highly effective at detecting process injection attempts using application programming interfaces (APIs). However, Israeli-based security firm Security Joes has developed a new method called Mockingjay, which allows for process injection without relying on EDR-monitored APIs. This novel approach leverages dynamic link libraries (DLLs) with default read, write, and execute (RWX) permissions to inject code into the address space of a running process.
The purpose of this research was to find alternative methods for executing code within the memory space of Windows processes. Security Joes aimed to discover a technique that would reduce the likelihood of detection by endpoint security mechanisms and require fewer steps to execute. Their unique approach involves leveraging a vulnerable DLL and copying code to the appropriate section, allowing for code injection without memory allocation, permission setting, or starting a thread in the targeted process.
Process injection is a commonly used technique by attackers to manipulate the memory of a process and hide malicious code. Attackers use methods like self-injection, DLL injection, and PE injection to evade detection on compromised systems. Each of these injection techniques requires specific Windows APIs, which generate patterns that can be detected by defenders and security software. EDR systems are typically tuned to monitor these APIs and can identify malicious activity associated with their use.
To develop Mockingjay, Security Joes systematically searched for DLLs within the Windows OS that contained a default RWX section. They developed a tool that explored the entire Windows file system and identified DLLs that could serve as potential vehicles for code injection without triggering an EDR alert. Through this exploration, they found a DLL (msys-2.0.dll) with 16KB of RWX space in Visual Studio 2022 Community that could be used for injecting and executing their own code.
Security Joes tested two methods for code execution using the vulnerable DLL. The first method involved directly loading the DLL into the memory space of a custom application they developed called nightmare.exe. This allowed them to inject and execute their own shellcode into the application’s memory space without relying on Windows APIs. The shellcode also removed all EDR hooks without triggering any alerts. By eliminating the dependency on Windows APIs, this technique reduces the likelihood of detection and enhances its effectiveness.
The second method involved process injection in a remote process. Security Joes identified binaries that used msys-2.0.dll for their operations, many of which were associated with GNU utilities and other applications that require POSIX emulation. For the proof-of-concept, they chose the ssh.exe process in Visual Studio 2022 Community as the target for injecting their code. In this injection method, there is no need to create a thread within the target process explicitly, as the process automatically executes the injected code.
Security Joes emphasizes that the DLL they used is just one of potentially many others that can be abused for code injection purposes. To address this threat, endpoint security tools need to go beyond monitoring specific APIs and DLLs. Behavioral analysis and machine learning techniques should be employed to identify process injection.
In conclusion, Security Joes has developed a novel method for process injection called Mockingjay, which leverages DLLs with default RWX permissions. This method reduces the likelihood of detection by endpoint security mechanisms and requires fewer steps to execute. It is crucial for security tools to adapt and use advanced techniques to identify process injection beyond monitoring specific APIs and DLLs.