analytics/CAR-2013-10-002.yaml

title: DLL Injection via Load Library
submission_date: 2013/10/07
information_domain: Host
platforms:
  - Windows
subtypes:
  - Process DLL
analytic_types:
  - TTP
contributors:
  - MITRE
id: CAR-2013-10-002
description: |-
  Microsoft Windows allows for processes to remotely create threads within other processes of the same privilege level. This functionality is provided via the Windows API [CreateRemoteThread](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682437.aspx). Both Windows and third-party software use this ability for legitimate purposes. For example, the Windows process [csrss.exe](https://en.wikipedia.org/wiki/Client/Server_Runtime_Subsystem) creates threads in programs to send signals to registered callback routines. Both adversaries and host-based security software use this functionality to [inject DLLs](https://attack.mitre.org/techniques/T1055), but for very different purposes. An adversary is likely to inject into a program to [evade defenses](https://attack.mitre.org/tactics/TA0005) or [bypass User Account Control](https://attack.mitre.org/techniques/T1548/002), but a security program might do this to gain increased monitoring of API calls. One of the most common methods of [DLL Injection](https://attack.mitre.org/techniques/T1055) is through the Windows API [LoadLibrary](https://msdn.microsoft.com/en-us/library/windows/desktop/ms684175.aspx).

  -   Allocate memory in the target program with [VirtualAllocEx](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366890.aspx)
  -   Write the name of the DLL to inject into this program with [WriteProcessMemory](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674.aspx)
  -   Create a new thread and set its entry point to [LoadLibrary](https://msdn.microsoft.com/en-us/library/windows/desktop/ms684175.aspx) using the API [CreateRemoteThread](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682437.aspx).

  This behavior can be detected by looking for thread creations across processes, and resolving the entry point to determine the function name. If the function is `LoadLibraryA` or `LoadLibraryW`, then the intent of the remote thread is clearly to inject a DLL. When this is the case, the source process must be examined so that it can be ignored when it is both expected and a trusted process.
coverage:
  - technique: T1055
    tactics:
      - TA0005
    subtechniques:
      - T1055.001
    coverage: Moderate
  - technique: T1548
    tactics:
      - TA0004
    subtechniques:
      - T1548.002
    coverage: Moderate
implementations:
  - description: 'Search for remote thread creations that start at LoadLibraryA or LoadLibraryW. Depending on the tool, it may provide additional information about the DLL string that is an argument to the function. If there is any security software that legitimately injects DLLs, it must be carefully whitelisted. '
    code: |-
      remote_thread = search Thread:RemoteCreate
      remote_thread = filter (start_function == "LoadLibraryA" or start_function == "LoadLibraryW")
      remote_thread = filter (src_image_path != "C:\Path\To\TrustedProgram.exe")

      output remote_thread
    type: pseudocode
  - description: LogPoint version of the above pseudocode.
    code: |-
      norm_id=WindowsSysmon event_id=8 start_function IN ["LoadLibraryA", "LoadLibraryW"] -source_image="C:\Path\To\TrustedProgram.exe"
    type: LogPoint
    data_model: LogPoint native
data_model_references:
  - thread/remote_create/src_pid
  - thread/remote_create/start_function
true_positives:
  - source: 'Mordor (Sysmon)'
    description: 'Sysmon event from the Mordor [Empire DLL Injection dataset](https://github.com/hunters-forge/mordor/blob/master/small_datasets/windows/defense_evasion/process_injection_T1055/empire_dll_injection.md).'
    event_snippet: 'CAR-2013-10-002-mordor-01-snippet.json'
    full_event: 'CAR-2013-10-002-mordor-01.json'
d3fend_mappings:
  - iri: d3f:SystemCallAnalysis
    id: D3-SCA
    label: System Call Analysis