Source: Bleeping Computer
Summary
Researchers have identified a new process injection technique, dubbed Mockingjay, that could allow threat actors to execute code without being detected by endpoint detection and response (EDR) solutions.
Process injection involves injecting code into the address space of another legitimate process that is trusted by the operating system, attempting to trick EDR solutions into thinking it is normal activity. Process injection techniques usually require commonly abused Windows API calls, the creation of processes and threads, and writing to memory, all of which EDR solutions are trained to detect.
Mockingjay doesn’t require these prerequisites and instead relies on legitimate Dynamic Link Library (DLL) files with read, write, and execute (RWX) sections. Attackers can take advantage of the inherent memory protections provided by the RWX section to insert malicious code without rousing the suspicion of EDR solutions.
Analysis
The responsible disclosure of newly discovered tactics, techniques, and procedures (TTPs) that may evade EDR detection is critical to ensuring network defenders stay one step ahead of threat actors. Had researchers not discovered this new tactic, it would likely only be a matter of time before it was developed and deployed by threat actors for malicious purposes.
Fortunately, this research provides EDR vendors with the information needed to detect and protect their customers from this activity in the future.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitors the cyber threat landscape for new TTPs. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate threat activity like process injection. Covalence users are automatically notified when process injection is detected in their environment and are encouraged to review these AROs as quickly as possible.
References
