From Process Injection to Function Hijacking

Process injection is a widespread defense evasion technique often used in malware development, and consist into writing (injecting) code within the address space of a remote process.

With the advent of AI/ML models in the detection engineering field, a lot of commonly used TTPs are now “easier” to detect, even automatically. In this context, the workflow presented may be ultimately converted into a behaviour, which could be detected by a model.

The main question we would like to answer is whether we really need to fall into this behavioural pattern, or there is another way. In the following sections, we’ll discuss one of the (potentially) many techniques that fall outside this behavioural pattern, and we’ll also discuss what it is, how to implement it, and what are the main advantages and drawbacks of this process injection technique.

This post was created with our nice and easy submission form. Create your post!

What do you think?

Posted by SH

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

Active Directory Domain Privilege Escalation (CVE-2022–2692)

Exploiting a Use-After-Free for code execution in every version