Detecting Mockingjay Process injection

Nchaupe Solomon Setshedi
7 min readJul 23, 2023

--

What is Process Injection?

process injection is a defence evasion technique. It is used by attackers to conceal the execution of malware code within the address space of a legitimate process. The malicious code is difficult to detect because it is hidden within a legitimate program. Process injection is dependent on the privileges of the legitimate process or program into which the malicious code is injected. These legal processes or programs are frequently allow listed and thus escape further scrutiny. Process injections are also undetected by any antivirus, application control, or endpoint detection and response systems that are running on the network because the infected processes are regarded as legitimate.

Types & Techniques

Code Injection: Injecting code into a process to perform specific actions within the context of that process. This can be used for debugging, adding features, or modifying the behaviour of a running application.

DLL Injection: Injecting a dynamic-link library (DLL) into a process to extend its functionality or to intercept its behaviour. DLL injection is often used by legitimate software (e.g., antivirus tools, performance monitors) to inject their code into processes for monitoring or protection purposes.

Malware and Exploits: Injecting malicious code into a process to compromise the system, steal information, or perform unauthorized actions. Malware may use process injection to evade detection, gain elevated privileges, or hide its presence.

Reflective DLL Injection: A more advanced technique that loads a DLL into memory without the need for it to be on disk, making it harder to detect.

a. CreateRemoteThread: Creating a new thread within the address space of the target process and starting it with the injected code.

b. SetThreadContext: Modifying the context of an existing thread within the target process to execute the injected code.

c. VirtualAllocEx: Allocating memory within the address space of the target process and then writing the code into that allocated memory space.

d. QueueUserAPC: Queuing an Asynchronous Procedure Call (APC) to a thread within the target process, causing it to execute the injected code.

Mockingjay Process Injection Technique

The Mockingjay process injection technique is a new method of injecting malicious code into running processes that can avoid detection and response tools such as EDR (Endpoint Detection and Response). It works by exploiting legitimate DLLs with read, write, and execute (RWX) sections. These DLLs are frequently used by legitimate applications, but attackers can use them to inject malicious code into other processes.

The Mockingjay technique begins by locating a vulnerable DLL. After identifying a vulnerable DLL, the attacker can inject malicious code into the DLL’s RWX section. This can be accomplished by either directly loading the DLL into their custom application’s memory space or by leveraging the RWX section to perform process injection in a remote process.

Once the malicious code has been injected into the DLL, the vulnerable application can execute it. This allows the attacker to execute arbitrary code in the vulnerable application’s address space, giving them access to the system’s resources and data.

The Mockingjay process injection technique is still in its early stages and is not widely used by attackers. However, it is a potential risk that businesses should be aware of. Typically, EDR tools look for specific Windows APIs that are used in common process injection techniques. The Mockingjay technique, on the other hand, does not rely on these APIs, allowing it to avoid EDR detection.

Differences

The act of injecting malicious code into the memory space of a running process is referred to as process injection. There are numerous methods for performing process injection, each with its own set of advantages and disadvantages.
The Mockingjay process injection technique is a type of process injection in which malicious code is injected into the memory space of a running process using a vulnerable DLL with a read, write, execute (RWX) section. This technique is intended to avoid detection and prevention of process injection attacks by EDR (Endpoint Detection and Response) tools.

The main difference between process injection and the Mockingjay process injection technique is that the Mockingjay technique does not rely on any Windows APIs. This makes it more difficult for EDR tools to detect, as they typically monitor for specific Windows APIs that are used in common process injection techniques.

Here is a table that summarizes the key differences between process injection and the Mockingjay process injection technique:

Why Win32_API

In the context of the Windows operating system, process injection is related to Win32 APIs (Application Programming Interfaces). Malware and security researchers alike use process injection to inject code into the address space of a running process, allowing them to manipulate the process and execute code within its context.

Win32 APIs are a set of functions and interfaces that developers can use to interact with the Windows operating system. Process injection techniques use some of these APIs to achieve their objectives. Here are a few Win32 APIs that are frequently used in process injection mentioned above What is Process Injection?

the Mockingjay process injection technique does not use any Win32 APIs. This is what makes it so difficult for EDR tools to detect, as they typically monitor for specific Win32 APIs that are used in common process injection techniques.

Instead, the Mockingjay technique abuses legitimate DLLs with read, write, and execute (RWX) sections. These DLLs are often used by legitimate applications, but they can also be used by attackers to inject malicious code into other processes.

The Mockingjay technique works by first identifying a vulnerable DLL. Once a vulnerable DLL has been identified, the attacker can then inject malicious code into the DLL’s RWX section. This can be done by either directly loading the DLL into the memory space of their custom application or by leveraging the RWX section to perform process injection in a remote process.

Once the malicious code has been injected into the DLL, it can then be executed by the vulnerable application. This allows the attacker to execute arbitrary code in the address space of the vulnerable application, which can give them access to the system’s resources and data.

The Mockingjay process injection technique is a relatively new technique, and it is not yet widely used by attackers. However, it is a potential threat that organizations should be aware of. EDR tools typically monitor for specific Win32 APIs that are used in common process injection techniques. However, the Mockingjay technique does not rely on these APIs, so it can bypass EDR detection.

Detections

The script below can be used to assist cybersecurity professionals to identify vulnerable DLLs


# Import the necessary modules
import-module 'microsoft[.]powershell[.]security'

# Get a list of all loaded DLLs
$loadedDlls = Get-Process | Get-Module | Where-Object {$_.ModuleName -ne 'Kernel32.dll'}

# Check each DLL for vulnerabilities
foreach ($dll in $loadedDlls) {
# Get the DLL's file path
$dllPath = $dll.Path

# Check if the DLL is vulnerable to process injection
$isVulnerable = Test-Path $dllPath -PathType 'Physical' -Recurse -Include '*.sys'

# If the DLL is vulnerable, output a message
if ($isVulnerable) {
Write-Host "The DLL $dllPath is vulnerable to process injection."
}
}
The ntdll.dll also covers for #win32 #api usage
The KQL Query will just have to be modified into a custom detection rule on #windows #defender and #sentinel
KQL Query

DeviceProcessEvents | where ProcessName == "ssh.exe" and FileName == "msys-2.0.dll"

Hell's Gate technique for bypassing EDR
DeviceProcessEvents | where ProcessName == "ntoskrnl.exe" and CommandLine contains "ntdll.dll"

This KQL query will identify instances of the ssh.exe process launching the msys-2.0.dll library. This is a common behaviour of Process Mockingjay.

PowerShell Script

Get-Process | where {$_.ProcessName -eq "ssh.exe" -and $_.Modules.ModuleName -eq "msys-2.0.dll"}

Hell's Gate technique for bypassing EDR
Get-Process | where {$_.ProcessName -eq "ntoskrnl.exe" -and $_.CommandLine -match "ntdll.dll"}

This PowerShell script will identify any instances of the ssh.exe process that have the msys-2.0.dll library loaded. This is a common behaviour of Process Mockingjay.

The KQL query and PowerShell script that you provided can be used to help detect the Mockingjay process injection technique. The KQL query will find instances of the ssh.exe process launching the msys-2.0.dll library, which is a common Mockingjay technique behaviour. The PowerShell script will detect any instances of the ssh.exe process that are loaded with the msys-2.0.dll library.

Because the ntdll.dll also supports Win32 API usage, the KQL query and PowerShell script can be used to detect the Hell’s Gate technique for bypassing EDR. The Hell’s Gate method involves starting the ntoskrnl.exe process with the ntdll.dll library loaded, which allows EDR detection to be avoided.

The KQL query and PowerShell script are insufficient to detect the Mockingjay process injection technique. They can, however, be used as part of a layered security strategy to help protect your systems from this attack.

Conclusion

The Mockingjay process injection technique is a new and sophisticated method of injecting malicious code into running processes. It is designed to bypass detection and response tools such as EDR, making it a serious threat to organizations.

There are a few ways to detect the Mockingjay process injection technique. One is to use the KQL query and PowerShell script that were provided in the article. These tools can identify instances of the ssh.exe process launching the msys-2.0.dll library, which is a common behavior of the Mockingjay technique.

Another way to detect the Mockingjay process injection technique is to look for instances of the ntoskrnl.exe process launching with the ntdll.dll library loaded. This is a behavior of the Hell’s Gate technique, which is another way to bypass EDR detection.

It is important to note that the KQL query and PowerShell script are not a complete solution for detecting the Mockingjay process injection technique. They can, however, be used as part of a layered security strategy to help protect your systems from this attack.

Here are some additional tips for protecting your systems from the Mockingjay process injection technique:

  • Keep your software up to date.
  • Use EDR tools that monitor for suspicious activity.
  • Implement security controls that prevent attackers from gaining access to vulnerable DLLs.
  • Be aware of the latest attack techniques and how to defend against them.

Further readings and resources

https://alice.climent-pommeret.red/posts/direct-syscalls-hells-halos-syswhispers2/

--

--

Nchaupe Solomon Setshedi

Recognized as a #Top15youngeeks2022 nominee and featured professional on builtinafrica.io. a skilled software developer and cyber-security practitioner