Süleyman Özarslan, PhD
May 21, 2020

In 2019, Picus Labs analyzed 48813 malware to determine tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files. Picus Labs categorized each observed TTP by utilizing the MITRE ATT&CK® framework. As a result of the present research, 445018 TTPs observed in the last year were mapped to ATT&CK to identify the top 10 most common techniques used by attackers.

Our research has found that Process Injection was the most prevalent ATT&CK technique used by adversaries in their malwareAdversaries emphasize an increased level of stealth, persistence, and privilege in their advanced cyber attacks. As a mechanism that can provide these features, it is not surprising that Process Injection is the most frequently used technique.

The purpose of this blog post is to review:

  • the fundamentals of the process injection technique, 
  • the most used target processes for injection, 
  • its use cases by threat actors, and 
  • red, blue, and purple teaming exercises for this technique.

Explore our full research on the 10 Critical MITRE ATT&CK Techniques.


It is easy to detect malware processes by listing the running processes and filtering out legitimate ones that are part of the operating system or installed software. If the malware can encapsulate its malicious code within a legitimate process, it will hide on the infected system. Process injection is in fact an “old but gold” technique consisting in running arbitrary code within the address space of another process. As a result, this technique enables access to the target process’s memory, system, and network resources. 

On this account, the technique provides three significant benefits for adversaries:

  • Executing code under a legitimate process may evade security controls. The legitimate process camouflages the malicious code to evade detection since it is whitelisted.
  • Since the malicious code executed inside the legitimate process’s memory space, it may also evade disk forensics.
  • If the target process has elevated privileges, this technique will enable privilege escalation. For example, if the target process has access to network resources, the malicious code can communicate legitimately over the Internet and with other computers on the same network.

Processes Targeted by Adversaries for Process Injection

Security controls may quickly detect custom processes. Therefore, threat actors use common Windows processes such as:

  • Built-in native Windows processes including explorer.exe, svchost.exeregsvr32.exe, dllhost.exe, services.exe, cvtres.exe, msbuild.exe, RegAsm.exe, RegSvcs.exe, rundll32.exe, arp.exe, PowerShell.exe, vbc.exe, csc.exe, AppLaunch.exe and cmd.exe
  • Processes of common software including iexplore.exe, ieuser.exe, opera.exe, chrome.exe, firefox.exe, outlook.exe, and msinm.exe

Target Process Selection Methods

Adversaries use the following methods when picking their target process for malicious code injection:

  • A specific target process is called out in the code. In this case, explorer.exe and svchost.exe are the most commonly used ones.
  • A list of target processes is defined in the code. For example, the Turla cyber espionage group’s Carbon backdoor includes a configuration file consisting of a list of target processes for injection[1]. A typical list includes native Windows and browser processes.
  • In some attack scenarios, the target process is not previously defined, and a suitable host process is located at runtime in this type of attack. For example, the CopyKittens group used Windows API functions to extract a list of currently active processes and to get a handle to each target process in its campaign[2]

Use Cases by Malware and Threat Actors


Threat Actor

Target Industries

Target Geographies

Target Process

Backdoor.Oldrea [3]



US, Europe


BlackEnergy [4]


Energy, Government



Cardinal RAT [5]




RegAsm.exe, RegSvcs.exe, vbc.exe, AppLaunch.exe, cvtres.exe

Denis backdoor [6]


Government, Media

East Asia

rundll32.exe, svchost.exe, arp.exe, PowerShell.exe

Downdelph downloader [7]



US, Europe


Dropper (unnamed) [8]

Putter Panda

Government, Telecommunication, Defense, Research, Technology, Aerospace

US, Europe

msinm.exe, outlook.exe, iexplore.exe, firefox.exe

Emotet banking malware [9]





Kazuar backdoor malware [10]


Government, Military, Defense

US, Europe, Middle East


RAT (unnamed) [11]

Emissary Panda

Energy, Government, Technology, Manufacturing

Middle East, Central Asia


Rokrat RAT [12]


Government, Finance

Middle East, East Asia


TClient backdoor malware [13]

Tropic Trooper

Government, Healthcare, Transportation, High-Tech

East Asia


Tidyelf dropper malware [14]


Healthcare, Technology, Telecommunications, Media, Education, Retail

Europe, East Asia, Middle East, US


Trickbot banking malware [15]





Trojan (unnamed) [16]

Gorgon Group


US, Europe

cvtres.exe, MSBuild.exe

Trojan (unnamed)[17]


Government, Defense, Logistics

South Korea


ZxShell RAT [18]

Group 72

Manufacturing, Aerospace, Defense, Media

US, East Asia


Example Process Injection Method: Reflective DLL Injection

Reflective DLL injection (loading) is one of the most used process injection methods employed by adversaries. This method allows injecting and executing a DLL inside another process by creating a DLL that maps itself into memory when executed, instead of relying on Window’s API’s loader calls. This technique avoids storing the DLL on disk and calling the Windows API’s LoadLibrary that might be detected by security tools.

Red Teaming - How to simulate?

Powersploit’s Invoke-ReflectivePEInjection [19] module can be used to simulate the reflective DLL injection technique. In addition to loading a DLL or EXE into the PowerShell,  It can reflectively load a DLL into a remote process. Because of its capabilities, adversaries are also using this module for injection, such as the Turla APT Group [20].

The below command is a simulation of reflective DLL injection using the Invoke-ReflectivePEInjection module. With this command, contents of the calc.exe file are read into the $PEByte byte array using the ReadAllBytes [21] method. Then the byte array containing the calc.exe is loaded and executed locally using the -PEBytes parameter.


powershell -c "Unblock-File %TMP%\Invoke-ReflectivePEInjection.ps1;

Import-Module %TMP%\Invoke-ReflectivePEInjection.ps1;$PEBytes = [IO.File]::ReadAllBytes('%windir%\System32\calc.exe'); Invoke-ReflectivePEInjection -PEBytes $PEBytes"



Blue Teaming - How to detect?

Sigma Rule

To detect the reflective DLL injection technique, we need logs that include PowerShell activities. Event log entries in the Microsoft-Windows-PowerShell/Operational log includes such activities. The Event ID 4104 (script block logging) records accurate blocks of code as they are executed by the PowerShell engine. Script block logging captures the de-obfuscated full contents of the code as it is executed, including scripts and commands, as shown in the following figure.


When the DLL is injected into the target process, the malware has to map the DLL’s raw binary into virtual memory. It uses  kernel32.dll and VirtualAlloc, GetProcAddress, and LoadLibraryA functions to get the correct address of the injected export function. Picus Labs’ Blue team developed the following Sigma rule by taking advantage of this finding mechanism and utilizing the Microsoft-Windows-PowerShell/Operational log with the Event ID 4104


title:Reflective Portable Executable Injection via PowerShell status: stable                                                       description: Detects the attempt of reflective portable executable (DLL/EXE) injection by PowerShell that uses API calls. This method is used by adversaries to evade detection from security products since the execution is masked under a legitimate process.
author: Picus Security
     product: windows
     service: powershell/operational
     definition1: 'Requirements: Group Policy : Computer Configuration\Administrative Templates\Windows Components\Windows PowerShell\Turn On Module Logging'
     definition2: 'Requirements: Group Policy : Computer Configuration\Administrative Templates\Windows Components\Windows PowerShell\Turn On PowerShell Script Block Logging'
        EventID: 4104
        - '*kernel32.dll*'
        - '*LoadLibraryA*'
        - '*GetProcAddress*'
        - '*VirtualAlloc*'
    condition: All of them
    - Unlikely, legitimate use in red teaming activities
level: high
    - attack.defense_evasion
    - attack.privilege_escalation
    - attack.t1055
    - attack.ta0004
    - attack.ta0005



Splunk SPL Query

(source="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode="4104" "*kernel32.dll*" "*LoadLibraryA*" "*GetProcAddress*" "*VirtualAlloc*")

IBM QRadar AQL Query

(LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and EventID='4104' and UTF8(payload) ilike '%kernel32.dll%' and UTF8(payload) ilike '%LoadLibraryA%' and UTF8(payload) ilike '%GetProcAddress%' UTF8(payload) ilike '%VirtualAlloc%')


The following YARA rule can be used to detect PowerShell scripts used for reflective DLL injection. This rule detects both Powersploit’s Invoke-ReflectivePEInjection module and Mimikatz’s PE Reflective Injection method [22].


rule power_pe_injection
description = "PowerShell with PE Reflective Injection"
author = "Benjamin DELPY (gentilkiwi)"

$str_loadlib = "0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9"




Appendix A - Aliases of Threat Groups

Threat Group



Sednit, Sofacy, Fancy Bear




Group 123, Reaper


Energetic Bear

Emissary Panda

TG-3390, APT 27, Bronze Union

Group 72


Putter Panda


Tropic Trooper 



Appendix B - Aliases of Malware Families





ZxShell RAT



[1] ESET Research, “Carbon Paper: Peering into Turla’s second stage backdoor | WeLiveSecurity,” WeLiveSecurity, 30-Mar-2017. [Online]. Available: https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/. [Accessed: 13-Apr-2020].

[2] Minerva Labs LTD, ClearSky Cyber Security, “CopyKittens Attack Group.” [Online]. Available: https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf. [Accessed: 13-Apr-2020].

[3] Symantec Security Response, “Dragonfly: Cyberespionage Attacks Against Energy Suppliers.” [Online]. Available: https://www.sbs.ox.ac.uk/cybersecurity-capacity/system/files/Symantec%20-%20Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf. [Accessed: 13-Apr-2020].

[4] F-Secure, “BlackEnergy & Quedagh The convergence of crimeware and APT attacks.” [Online]. Available: https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf. [Accessed: 13-Apr-2020].

[5] J. Grunzweig, “Cardinal RAT Active for Over Two Years,” Unit42, 20-Apr-2017. [Online]. Available: https://unit42.paloaltonetworks.com/unit42-cardinal-rat-active-two-years/. [Accessed: 13-Apr-2020].

[6] Cybereason, “Operation Cobalt Kitty.” [Online]. Available: https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf. [Accessed: 13-Apr-2020].

[7] “En Route with Sednit Part 3: A Mysterious Downloader,” Eset. [Online]. Available: https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf. [Accessed: 13-Apr-2020].

[8] CrowdStrike, “CrowdStrike Intelligence Report PUTTER PANDA.” [Online]. Available: https://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf. [Accessed: 13-Apr-2020].

[9] “Emotet Malware | CISA.” [Online]. Available: https://www.us-cert.gov/ncas/alerts/TA18-201A. [Accessed: 13-Apr-2020].

[10] B. Levene, R. Falcone, and T. Halfpop, “Kazuar: Multiplatform Espionage Backdoor with API Access,” Unit42, 03-May-2017. [Online]. Available: https://unit42.paloaltonetworks.com/unit42-kazuar-multiplatform-espionage-backdoor-api-access/. [Accessed: 13-Apr-2020].

[11] nccgroup, “Emissary Panda – A potential new malicious tool.” [Online]. Available: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/. [Accessed: 13-Apr-2020].

[12] “Threat Analysis: ROKRAT Malware | VMware Carbon Black,” VMware Carbon Black, 27-Feb-2018. [Online]. Available: https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/. [Accessed: 13-Apr-2020].

[13] T. Micro, “Tropic Trooper’s New Strategy - TrendLabs Security Intelligence Blog,” 14-Mar-2018. [Online]. Available: https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/. [Accessed: 13-Apr-2020].

[14] FireEye, “Double Dragon APT41, a dual espionage and cyber crime operation.” [Online]. Available: https://www.fireeye.com/content/dam/collateral/en/rpt-apt41-2019.pdf. [Accessed: 13-Apr-2020].

[15] S2 Grupo, “Evolution of Trickbot.” [Online]. Available: https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf. [Accessed: 13-Apr-2020].

[16] R. Falcone, D. Fuertes, J. Grunzweig, and K. Wilhoit, “The Gorgon Group: Slithering Between Nation State and Cybercrime,” Unit42, 02-Aug-2018. [Online]. Available: https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/. [Accessed: 13-Apr-2020].

[17] D. Tarakanov, “The ‘Kimsuky’ Operation: A North Korean APT?” [Online]. Available: https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/. [Accessed: 13-Apr-2020].

[18] Talos Group, “Threat Spotlight: Group 72, Opening the ZxShell - Cisco Blogs,” Cisco Blogs, 28-Oct-2014. [Online]. Available: https://blogs.cisco.com/security/talos/opening-zxshell. [Accessed: 13-Apr-2020].

[19] PowerShellMafia, “PowerShellMafia/PowerSploit,” GitHub. [Online]. Available: https://github.com/PowerShellMafia/PowerSploit. [Accessed: 13-Apr-2020].

[20] ESET, “A dive into Turla PowerShell usage.” [Online]. Available: https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/. [Accessed: 13-Apr-2020].

[21] dotnet-bot, “File.ReadAllBytes(String) Method (System.IO).” [Online]. Available: https://docs.microsoft.com/en-us/dotnet/api/system.io.file.readallbytes. [Accessed: 13-Apr-2020].

[22] gentilkiwi, “gentilkiwi/mimikatz,” GitHub. [Online]. Available: https://github.com/gentilkiwi/mimikatz. [Accessed: 13-Apr-2020].




10 Critical MITRE ATT&CK Techniques

Süleyman Özarslan, PhD

About the Author

Süleyman Özarslan, PhD
VP, Picus Labs, Founder A true security enthusiast with extensive experience in ethical hacking, cyber defense, computer networks, and cryptography.
VP, Picus Labs, Founder A true security enthusiast with extensive experience in ethical hacking, cyber defense, computer networks, and cryptography.


Trusted by Leading Global Companies

Exclusive Networks
ING Bank
QNB Finansbank
Yapı Kredi
Datasheet Request Demo Join our Newsletter