Process Injection: Dynamic-link Library Injection, Sub-technique T1055.001 - Enterprise (original) (raw)
Aria-body has the ability to inject itself into another process such as rundll32.exe and dllhost.exe.[5]
BackdoorDiplomacy has dropped legitimate software onto a compromised host and used it to execute malicious DLLs.[6]
BADHATCH has the ability to execute a malicious DLL by injecting into explorer.exe on a compromised machine.[7]
BlackEnergy injects its DLL component into svchost.exe.[8]
The Bumblebee loader can support the Dij command which gives it the ability to inject DLLs into the memory of other processes.[9][10]
During C0015, the threat actors used a DLL named D8B3.dll that was injected into the Winlogon process.[11]
Carberp's bootkit can inject a malicious DLL into the address space of running processes.[12]
Carbon has a command to inject code into a process.[13]
Cobalt Strike has the ability to load DLLs via reflective injection.[14][15]
ComRAT has injected its orchestrator DLL into explorer.exe. ComRAT has also injected its communications module into the victim's default browser to make C2 connections appear less suspicious as all network connections will be initiated by the browser process.[16][17]
Conti has loaded an encrypted DLL into memory and then executes it.[18][19]
DarkTortilla can use a .NET-based DLL named RunPe6 for process injection.[20]
Derusbi injects itself into the secure shell (SSH) process.[21]
Duqu will inject itself into different processes to evade detection. The selection of the target process is influenced by the security software that is installed on the system (Duqu will inject into different processes depending on which security suite is installed on the infected host).[22]
Dyre injects into other processes to load modules.[23]
Elise injects DLL files into iexplore.exe.[24][25]
Emissary injects its DLL file into a newly spawned Internet Explorer process.[26]
Emotet has been observed injecting in to Explorer.exe and other processes. [27][28][29]
FinFisher injects itself into various processes depending on whether it is low integrity or high integrity.[30][31]
The FunnyDream FilepakMonitor component can inject into the Bka.exe process using the VirtualAllocEx, WriteProcessMemory and CreateRemoteThread APIs to load the DLL component.[32]
Gelsemium has the ability to inject DLLs into specific processes.[33]
Get2 has the ability to inject DLLs into processes.[34]
Havoc has DLL spawn and injection modules.[35]
Heyoka Backdoor can inject a DLL into rundll32.exe for execution.[36]
HIDEDRV injects a DLL for Downdelph into the explorer.exe process.[37]
IronNetInjector has the ability to inject a DLL into running processes, including the IronNetInjector DLL into explorer.exe.[38]
If running in a Windows environment, Kazuar saves a DLL to disk that is injected into the explorer.exe process to execute the payload. Kazuar can also be configured to inject and execute within specific processes.[39]
Kimsuky has the ability to load DLLs via reflective injection by allocating memory using VirtualAllocEx(), then decrypting a DLL with WriteProcessMemory() and invoking execution through CreateRemoteThread().[40]
Koadic can perform process injection by using a reflective DLL.[41]
A Lazarus Group malware sample performs reflective DLL injection.[42][43]
Leviathan has utilized techniques like reflective DLL loading to write a DLL into memory and load a shell that provides backdoor access to the victim.[44]
Lizar has used the PowerKatz plugin that can be loaded into the address space of a PowerShell process through reflective DLL loading.[45]
Malteiro has injected Mispadu’s DLL into a process.[46]
Matryoshka uses reflective DLL injection to inject the malicious library and execute the RAT.[47]
Maze has injected the malware DLL into a target process.[48][49]
MegaCortex loads injecthelper.dll into a newly created rundll32.exe process.[50]
Metamorfo has injected a malicious DLL into the Windows Media Player process (wmplayer.exe).[51]
Mongall can inject a DLL into rundll32.exe for execution.[36]
The Netwalker DLL has been injected reflectively into the memory of a legitimate running process.[52]
PipeMon can inject its modules into various processes using reflective DLL loading.[53]
PoisonIvy can inject a malicious DLL into a process.[54][55]
PowerSploit contains a collection of CodeExecution modules that inject code (DLL, shellcode) into a process.[56][57]
PS1 can inject its payload DLL Into memory.[58]
Pupy can migrate into another process using reflective DLL injection.[59]
An executable dropped onto victims by Putter Panda aims to inject the specified DLL into a process that would normally be accessing the network, including Outlook Express (msinm.exe), Outlook (outlook.exe), Internet Explorer (iexplore.exe), and Firefox (firefox.exe).[60]
Qilin can inject pwndll.dll, a patched DLL from the legitimate DLL WICloader.dll, into svchost.exe for continuous execution.[61]
Ramsay can use ImprovedReflectiveDLLInjection to deploy components.[62]
After decrypting itself in memory, RARSTONE downloads a DLL file from its C2 server and loads it in the memory space of a hidden Internet Explorer process. This "downloaded" file is actually not dropped onto the system.[63]
RATANKBA performs a reflective DLL injection using a given pid.[64][65]
Remsec can perform DLL injection.[66]
Sagerunex is designed to be dynamic link library (DLL) injected into an infected endpoint and executed directly in memory.[67]
Saint Bot has injected its DLL component into EhStorAurhn.exe.[68]
SDBbot has the ability to inject a downloaded DLL into a newly created rundll32.exe process.[34]
ShadowPad has injected a DLL into svchost.exe.[69]
Socksbot creates a suspended svchost process and injects its DLL into it.[70]
SombRAT can execute loadfromfile, loadfromstorage, and loadfrommem to inject a DLL from disk, storage, or memory respectively.[58]
Stuxnet injects an entire DLL into an existing, newly created, or preselected trusted process.[71]
Sykipot injects itself into running instances of outlook.exe, iexplore.exe, or firefox.exe.[72]
TA505 has been seen injecting a DLL into winword.exe.[73]
Taidoor can perform DLL loading.[74][75]
TajMahal has the ability to inject DLLs for malicious plugins into running processes.[76]
TONESHELL has used DLL injection to execute payloads received from the C2 server.[77]
Tropic Trooper has injected a DLL backdoor into dllhost.exe and svchost.exe.[78][79]
Turla has used Metasploit to perform reflective DLL injection in order to escalate privileges.[80][81]
Uroburos can use DLL injection to load embedded files and modules.[82]
Wizard Spider has injected malicious DLLs into memory with read, write, and execute permissions.[83][84]