![]() Another added benefit of process injection is that it allows payloads to be launched within the memory space of a running process without needing to drop any malicious code to disk.įor example, you may be able to build a high-fidelity detection analytic that triggers any time PowerShell makes an external network connection. In addition to being stealthy, code can inherit the privilege level of the process it’s injected into and gain access to parts of the operating system that shouldn’t be otherwise available. Adversaries perform process injection because it allows them to execute malicious activity by proxy through processes that either have information of value (e.g., lsass.exe) or that blend in with benign operating system activity. It’s so versatile that ATT&CK includes 14 sub-techniques of Process Injection. Process Injection is a versatile technique that adversaries leverage to perform a wide range of malicious activity. As such, this section focuses generally on the overall technique and not on any individual sub-techniques. Note: Process Injection comprises multiple sub-techniques, but we largely map our detection analytics to the parent. Why do adversaries use Process Injection? ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |