02-11, 16:00–16:30 (UTC), Track 1- Dragon Suite
Most process injection techniques typically involve creating remote threads within the target process. This often exposes opportunities for EDR detection engines to pick up the malicious activity. This talk will cover some of the existing methods used today followed by a novel technique that can inject and execute code into a remote process without some of these common indicators.
As red teamers, we always find ourselves in a cat and mouse game with the blue team. Many Anti-virus and EDR solutions over the past 10 years have become significantly more advanced at detecting fileless malware activity in a generic way.
Process injection, a technique used for executing code from within the address space of another process is a common method within the offensive operator’s toolbox. Commonly used to mask activity within legitimate processes such as browsers and instant messaging clients already running on the target workstation.
Within the last 2 years, tools such as Sysmon have added new detections and events for process injection along with big improvements in detections within commercial EDR space.
With this in mind, a new method of injection was researched that would not fall foul to the traditional methods that are often detected today.
Throughout the talk we will cover some of these traditional process injection techniques followed by a technical dive into the novel method that was researched and release a corresponding open-source tool that leverages the technique.
After a 20 career within the software development space I was looking for a new challenge and moved into pen testing back in 2019. During that time I have created and contributed to several open source offensive tools such as Rubeus, BOFNET and SweetPotato and on the odd occasion contributed to projects on the defensive side too.