Windows Defender Advanced Threat Protection (Windows Defender ATP) is a post-breach solution that alerts security operations (SecOps) personnel about hostile activity. As the nature of attacks evolve, Windows Defender ATP must advance so that it continues to help SecOps personnel uncover and address the attacks.
With increasing security investments from Microsoft—read how Windows 10 continues to raise the bar against a spectrum of attacks—and other vendors, the cost and complexity of delivering successful exploits has swelled. For example, the trend towards virtualization-based security is forcing attacks to incorporate at least two exploits: one to compromise the sandboxed application and another to break out of the sandbox. We are now seeing exploit developers charge as high as hundreds of thousands of dollars for remote code execution and kernel exploits, pricing out some attackers from the market.
Unfortunately, advanced and apex attackers (see Figure 1) can still afford to develop or purchase zero-day exploits. To protect their investments, these attackers put more emphasis in evading detection. They rely heavily on in-memory attacks and kernel privilege escalation to avoid touching the disk and remain extremely stealthy.
Figure 1. Attacker proficiency and associated techniques
This blog post kicks off a three-part series showcasing the investments made by Microsoft to enhance instrumentation and detection of in-memory techniques. The series covers detection improvements for cross-process code injection, kernel escalation and tampering, and in-memory exploitation. In this first post, we focus on cross-process injection and illustrate how enhancements that will be available in the Creators Update for Windows Defender ATP detect a broad set of attack activity: from commodity malware that attempt to hide from plain view to sophisticated activity groups that engage in targeted attacks.
Cross-process injection for stealth and persistence
Cross-process injection can be used to provide an attacker more visibility into normal processes. For example, injected code can record keystrokes sent to an affected process. At the same time, this method hides malicious code and enables process migration, which can be used for organizational persistence.
Cross-process injection is inherently stealthy because it conceals malicious code inside benign processes. Even when a process has been injected with malicious code, its loaded images (the executable and library files associated with the process) continue to point to legitimate files on disk as shown in Figure 2. This shows a clear advantage over running malicious code in its own process space, which necessitates that the code reside on disk as an image file that is subject to inspection by antimalware and is easily recovered as forensic evidence.
Figure 2. Loaded images of rundll32.exe appear normal even when injected with malware code
By enabling process migration, cross-process injection allows attacks to stay active. In a drive-by-download attack, for instance, an attacker can gain control of the browser process and disable its sandbox. To execute malicious code beyond the lifecycle of the browser, which may terminate at any time, the attacker migrates the malicious code to a long-lived process, such as winlogon.exe, using cross-process injection. The risk of a user powering down the machine and erasing the malware remains, but an apex attacker overcomes this by staying active on multiple devices on the enterprise network. If one device is indeed restarted and the malicious code erased, the attacker can easily move laterally back to that device.
Digging deeper into cross-process injection
Cross-process injection is basically a two-fold process.
First, malicious code is placed into a new or existing executable page within a remote process. Attackers typically use the Win32 APIs VirtualAllocEx and CreateFileMapping/MapViewOfSection to allocate new executable pages. They then use VirtualProtectEx to turn existing pages into executable and writeable pages.
Next, the injected malicious code is executed through control of the thread and execution context. In many notable cases, attackers use the API CreateRemoteThread to create a new thread in a remote process. They then use APIs SetThreadContext and QueueUserAPC to redirect the existing thread to an arbitrary address.
While there are legitimate uses for the aforementioned APIs—they are used for debugging, diagnostics, management, and security—particular combinations of process names and execution behaviors often indicate malicious activity. For the technically inclined, techniques such as process hollowing (described by Tan Chew Keong in his paper “Dynamic Forking of Win32 EXE”) and AtomBombing are good examples of these malicious combinations.
Instrumentation and detection in Windows Defender ATP
In Creators Update for Windows Defender ATP, we have instrumented related function calls and built statistical models to detect a broad range of malicious injection techniques used in the wild. To determine how these enhancements effectively uncover hostile activities that leverage cross-process injection, we tested the enhancements against the following real-world cases: a targeted attack, a remote access tool (RAT), and cryptocurrency mining malware.
Targeted attack by GOLD
GOLD is an activity group that primarily seeks out intellectual property and other valuable digital assets. This activity group has an interesting way of obtaining a foothold in enterprise networks. Instead of actively pursuing targets through spear-phishing, GOLD uses established distribution sites for license-key generators (keygens) to infect a wide array of victims—all users who download and execute keygens from the distribution sites. The group then assesses each of the victims and aggressively pursues those in certain industries.
As a user launches a keygen package downloaded from the website operated by GOLD, the package drops two executables: the actual keygen and the Gatak malware implant. Gatak proceeds to inject itself into one of the many legitimate system processes using the CreateRemoteThread API. The sample we tested launches the rundll32.exe process, allocates memory in the process, writes malicious code to that location, and executes the malicious code using CreateRemoteThread calls. Upon successful injection, Gatak removes itself from disk, going fileless. Meanwhile, code injected in the rundll32.exe process communicates with command-and-control (C&C) servers, giving GOLD attackers control over the infected device.
With Creators Update, Windows Defender ATP will uncover breaches involving Gatak by detecting its cross-process injection technique, among other detection mechanisms it can use. Figure 3 shows the alert on the Windows Defender ATP Creators Update portal.
Figure 3. Detection of Gatak malware implant injecting into rundll32.exe
The second piece of malicious activity we used to test our new detections for cross-process injection is a variant of the Fynloski remote access tool (RAT). This RAT was freely available until 2012 and is still in use today in multiple attack campaigns. It provides a broad set of functionality, including capturing screenshots, exfiltrating files, and recording keystrokes. It is distributed by different vectors, including spear-phishing, downloaders, and exploit kits.
Instead of using the more common CreateRemoteThread cross-process injection technique described in preceding sections, Fynloski leverages the QueueUserAPC API to hide its presence. QueueUserAPC is a function for requesting the execution of procedures asynchronously. Attackers can use QueueUserAPC to inject arbitrary code cross-process by provisioning malicious code in the target process and pointing QueueUserAPC to execute this code.
With Creators Updates, Windows Defender ATP will detect these API calls and display an alert with a corresponding timeline that outlines this behavior as shown in Figure 4.
Figure 4. Fynloski RAT injecting into notepad.exe
Commodity malware for cryptocurrency mining
Commodity malware uses cross-process injection techniques for the same reason attackers use them in targeted attacks—they want to remain hidden long enough to accomplish their objectives.
In this article, we dissect the CoinMiner malware, which steals computing resources to mine cryptographic currencies such as Bitcoins. It uses SetThreadContext API for cross-process injection, copying malicious code into allocated executable memory similar to the CreateRemoteThread technique. To execute the malicious code, it first obtains a list of existing threads from the target process using CreateToolhelp32Snapshot API. It then modifies the control registers of a thread to point to the memory address of the injected malicious code using the SetThreadContext API.
Our sample of CoinMiner launches notepad.exe and injects its mining code into that process. Subsequently, the affected notepad.exe process connects to the Monero Mining Pool (xmr[.]crypto-pool[.]fr) to submit mined cryptocurrency. Windows Defender ATP, as shown in Figure 5, will detect the injection technique and provide important context, such as the connection to the mining pool, to help SecOps personnel understand and address the infection.
Figure 5. Event timeline view of CoinMiner infection
Conclusion: Creators Update is ready for a mix of cross-process injection methods
Like other in-memory techniques, cross-process injection can evade antimalware and other security solutions that focus on inspecting files on disk. With Creators Update, Windows Defender ATP will provide SecOps personnel with additional capabilities to uncover malicious activities leveraging cross-process injection. By leveraging statistical models and analyzing large data sets in the cloud, these enhancements cover code injection techniques used in a variety of attacks, including commodity malware infections and sophisticated breaches.
Windows Defender ATP also provides detailed event timelines as well as other contextual information that SecOps personnel can use to quickly understand the nature of attacks and take response actions.
For more information about Windows Defender ATP, check out its features and capabilities and read about why a post-breach detection approach is a key component of any enterprise security stack. Several features planned for release with Creators Update are currently available to all users as part of the public preview.
Windows Defender ATP is built into the core of Windows 10 Enterprise and can be evaluated free of charge.
- Gatak – 137d6fdc9ca730304a2154174058144f4e909824
- Fynloski – efb9a13ad450bb0381ee1cc3b90ac0266687928a
- CoinMiner – d36fa8de43956190d827c042614555c8b20c5402
Christian Seifert, Genghis Karimov, Mathieu Letourneau
Windows Defender ATP Research Team