{ "id": "f0090da4-5ded-4942-9150-74b75f9b7c73", "created_at": "2026-04-06T00:08:36.910178Z", "updated_at": "2026-04-10T13:11:56.794034Z", "deleted_at": null, "sha1_hash": "a71158f89b3cfa1105b9604881f8a163bc9e4593", "title": "ATT\u0026CK® Deep Dive: Process Injection - Red Canary", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 43075, "plain_text": "ATT\u0026CK® Deep Dive: Process Injection - Red Canary\r\nBy Share\r\nArchived: 2026-04-05 12:57:13 UTC\r\nWHY FOCUS ON PROCESS INJECTION?\r\nProcess Injection encompasses a wide array of malicious behaviors that offer adversaries an inconspicuous\r\nmethod of evading defensive controls, elevating their privilege level, or otherwise executing arbitrary code. It’s so\r\nbroad that in the next ATT\u0026CK release, MITRE is recategorizing the technique into 11 sub-techniques.\r\nAs such, this is the perfect time for an in-depth, technical conversation exploring the ways that adversaries\r\nleverage Process Injection, what malicious process injection looks like, and how you can detect it.\r\nSee highlight clips from the Process Injection webinar.\r\n01:25 Panelist Introduction\r\n02:10 What Red Canary Does\r\n02:35 Process Injection Definition\r\n02:48  “Process injection is a way of running arbitrary code in another process’s memory space.” – Adam\r\n03:30 Why Leverage Process Injection\r\n03:50  “It can be a very good way to evade defenders and defensive controls that are focused around specific\r\ntools.” – Adam\r\n04:55 Sub-techniques of Process Injection\r\n05:20  “Process injection, which is a fairly broad technique, has been broken out into 11 different sub-techniques\r\nwhich are more specific techniques or ways of actually doing process injection.” – Adam\r\n05:45 Webinar Agenda\r\n07:11 Portable Executable Injection\r\n08:09 “The ability to inject that into another process and then invoking it by spawning a new thread.” – Matt\r\n09:40  “This technique offers an attacker particular flexibility in that it facilitates direct injection into their target.”\r\n– Matt\r\n10:57 Ramnit\r\n11:15  “In the case of Ramnit, it injects a traditional DLL into a browser process.” – Matt \r\nhttps://redcanary.com/resources/webinars/deep-dive-process-injection/\r\nPage 1 of 3\n\n13:55 Observing PE Injection\r\n14:14  “What are the absolute minimum requirements an attacker has imposed in order to successfully carry out\r\nthe attack technique?” – Matt\r\n17:05 Detecting PE Injection\r\n18:15  “Since they’re already writing their own position-independent code, there’s no hard requirement that they\r\nmust write a PE header into the memory space of another process, but a lot of malware does.” – Matt\r\n21:30 Thread Local Storage\r\n22:29  “Although it is kind of uncommon, it can be a successful anti-analysis technique because typically analysis\r\nis going to start at the entry point of the PE, and this malware is going to get executed before that is reached.” –\r\n Erika\r\n22:52 Ursnif\r\n23:05  “It’s often spread via malicious Office documents” – Erika\r\n23:23 Observing Malicious TLS Callbacks\r\n23:29  “Within the PE header itself, there is a TLS directory which contains information about TLS data objects.\r\nThese thread local storage objects basically allow each thread to have its own static data area for custom variables,\r\nor custom thread initialization routines that they want to employ.” – Erika\r\n28:29 Detecting Malicious TLS Callbacks\r\n29:22  “We talked about some of the APIs that are used by this technique, you can obviously detect the usage of\r\nthose, but the usage of any one of those by itself is not going to indicate malicious activity.” – Erika\r\n30:38 Process Hollowing\r\n31:00 “It allows an attacker to carve out the executable section of a legitimate or benign process and replace it\r\nwith their own payload.” – David\r\n33:42 Process Hollowing: Generalized Technique\r\n36:05  “Once the attacker has obtained the PE address, the third step is to perform the hollowing itself.” – David\r\n41:55 Trickbot\r\n42:32  “What’s interesting for us as technical defenders is that we use a number of varied techniques taking\r\nshape.” – David\r\n43:52 Process Hollowing: Trickbot\r\n45:30  “They create a section that describes their unpacked code. This is created within the originator process,\r\nmeaning within the malware process itself. They create a new section that describes the unpacked code to inject or\r\nhttps://redcanary.com/resources/webinars/deep-dive-process-injection/\r\nPage 2 of 3\n\nmake resident within the hollowed process.” – David\r\n47:52 Detecting Process Hollowing\r\n51:12  “It’s difficult to get a robust detection at scale.” – David\r\n52:16 Linux\r\n57:09  “We only had these three Linux-only techniques in ATT\u0026CK today.” – Adam\r\n57:26 MacOS\r\n57:38  “Injection isn’t seen in malware on the Mac platform, and there are a few reasons for that. The most\r\nprevalent being that it is much harder than getting the user to click on something and type in their password.” –\r\n Erika\r\n01:00:52 Mitigating Process Injection\r\n1:01:02  “There is no specific mitigation against all forms of process injection.” – Matt\r\n01:04:05 Questions \u0026 Answers\r\nWe will be following up with questions and answers in a blog post soon.\r\nSource: https://redcanary.com/resources/webinars/deep-dive-process-injection/\r\nhttps://redcanary.com/resources/webinars/deep-dive-process-injection/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://redcanary.com/resources/webinars/deep-dive-process-injection/" ], "report_names": [ "deep-dive-process-injection" ], "threat_actors": [], "ts_created_at": 1775434116, "ts_updated_at": 1775826716, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a71158f89b3cfa1105b9604881f8a163bc9e4593.pdf", "text": "https://archive.orkl.eu/a71158f89b3cfa1105b9604881f8a163bc9e4593.txt", "img": "https://archive.orkl.eu/a71158f89b3cfa1105b9604881f8a163bc9e4593.jpg" } }