🛠️ Process injection

This is a work-in-progress. It's indicated with the 🛠️ emoji in the page name or in the category name. Wanna help? Please reach out to me: @_nwodtuhs

Theory

Instead of simply executing the shellcode, it has become common to find tricks to hide its active load. The classic schema looks like this:

// encrypt the shellcode 
 encrypt(ciphered, SHELLCODE, SHELLCODE_LENGTH, KEY);
// decrypt + handoff 
 decrypt(deciphered, ciphered, SHELLCODE_LENGTH, KEY); 
 handoff(deciphered, SHELLCODE_LENGTH);

After the malicious code is injected into a legitimate process, attackers also can access legitimate processes' resources such as process memory, system/network resources, and elevated privileges
picussecurity.com

Practice

Process injection exists in many forms, often based on legitimate services.

The techniques mainly used are :

Resources

all these methods and many others are also described in Ired's article : https://www.ired.team/offensive-security/code-injection-process-injection

https://www.cyberbit.com/endpoint-security/malware-mitigation-when-direct-system-calls-are-used/

Reconnaissance

Movement

Credentials

Dumping

Bruteforcing

MITM and coerced auths

NTLM

Kerberos

Forged tickets

Delegations

DACL abuse

Netlogon

Certificate Services (AD-CS)

SCCM / MECM

Exchange services

Print Spooler Service

Schannel

Built-ins & settings

Kerberos

Certificate Services (AD-CS)

HTTP security headers

Identity and Access Management

File inclusion

LFI to RCE

Initial access (protocols)

Windows

UNIX-like

(AV) Anti-Virus

Mifare Classic

Android

🛠️ Process injection

Theory

Practice

Resources

Dumping

Bruteforcing

MITM and coerced auths

NTLM

Kerberos

Forged tickets

Delegations

DACL abuse

Certificate Services (AD-CS)

SCCM / MECM

Certificate Services (AD-CS)

HTTP security headers

File inclusion

LFI to RCE

Windows

UNIX-like

Mifare Classic

🛠️ Process injection ​

Theory ​

Practice ​

Resources ​

🛠️ Process injection

Theory

Practice

Resources