In this article, we will explain what the process injection technique is and how it can be detected with Sysmon.
To put it simply, a process running code in the address space of another process is called process injection. Attackers and malware often make use of the "Process Injection" technique. Thanks to this technique, they can increase the success rate of the attack by preventing detection.
Before explaining how we can detect the Process Injection technique, let's talk about the methods by which this technique can be performed.
There are many methods for process injection. Frequently used among these are as follows.
If you want to exercise after this article, you can use our blue team lab for free.
System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time.
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Sysmon is to record many different events. With the EventID:8 of Sysmon, we can detect the Process Injection technique.
Let's examine how we can detect Process Injection technique with Sysmon Events.
We can use InjectProc to simulate the Process Injection technique. InjectProc is an open source project created to simulate Process Injection technique. There is also a dll file created for you to test in the project.
You can download InjectProc's executable file from here. Let's inject a DLL into the "winrar.exe" process with the command below.
InjectProc.exe dll_inj malicious.dll winrar.exe
When we successfully injected the dll, the message box appears as in the image above, indicating that the injection was successful.
Now let's detect Process Injection with Sysmon that we simulate. We can see Sysmon Events with the "Event Viewer" tool. Sysmon logs are located in the directory below.
"Applications and Services Logs/Microsoft/Windows/Sysmon/Operational"
When we look at the events number 8, it is seen that Process Injection has been caught.
You can detect the Process Injection technique by following this event in your SIEM products.
Cover photo: Sébastien Thibault
