This makes further attacks and exploitation more difficult.Īccess. This may ultimately cost the attacker the obtained foothold and potentially a much-increased alertness within the organization’s blue team.
#S CYBER HUNTER FOR 32 BIT CODE#
For example, if Microsoft Excel executes code to spawn a command prompt, a blue team analyst may observe this as suspicious behavior and will investigate further. Blue teams will often look for indicators of compromise (IOCs) on a system that follow certain trends. As attackers have become more sophisticated, so have defenders. This is also known as “process migration” and is a built-in technique in various remote access tools (RATs) and popular penetration testing frameworks such as Metasploit (meterpreter). Therefore, in order to maintain a foothold on the target system, the attacker may choose to inject malicious code into a new or existing process to increase the attacker’s foothold’s stability. If the current process where the attacker is executing code from crashes, then the attacker’s control over the host is lost. Often, due to sophisticated memory corruption exploits, the compromised process that the attacker is running under becomes unstable after exploitation. If the attacker can execute code on a machine, why does the attacker need to inject into another process, particularly since the attacker is likely executing from the context of some process already? There are multiple reasons for this the following motifs are relevant to modern threats. Why Inject into a Process?īefore we dive into a specific technique of process injection (process hollowing), let us first understand the general need for process injection. This is often done via phishing, vulnerable external network infrastructure, physical access, and in extremely rare cases, by utilizing zero-day exploits.Īfter an attacker is able to execute code on a machine, due to a vulnerability for example, the attacker may then be interested in some form of process injection. Prior to the course of network infiltration, threat actors must obtain a foothold within an organization’s network perimeter.