windows_binary_proxy_execution_mavinject_dll_injection.yml

name: Windows Binary Proxy Execution Mavinject DLL Injection
id: ccf4b61b-1b26-4f2e-a089-f2009c569c57
version: 1
date: '2022-07-07'
author: Michael Haag, Splunk
status: production
type: TTP
description: Adversaries may abuse mavinject.exe to inject malicious DLLs into running
  processes (i.e. Dynamic-link Library Injection), allowing for arbitrary code execution
  (ex. C:\Windows\system32\mavinject.exe PID /INJECTRUNNING PATH_DLL). In addition
  to Dynamic-link Library Injection, Mavinject.exe can also be abused to perform import
  descriptor injection via its /HMODULE command-line parameter (ex. mavinject.exe
  PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an
  import table entry consisting of the specified DLL into the module at the given
  base address. During triage, review file modifcations and parallel processes.
data_source:
- Sysmon EventID 1
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
  as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mavinject.exe
  Processes.process IN ("*injectrunning*", "*hmodule=0x*") by Processes.dest Processes.user
  Processes.parent_process_name Processes.process_name Processes.process Processes.process_id
  Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)` | `windows_binary_proxy_execution_mavinject_dll_injection_filter`'
how_to_implement: The detection is based on data that originates from Endpoint Detection
  and Response (EDR) agents. These agents are designed to provide security-related
  telemetry from the endpoints where the agent is installed. To implement this search,
  you must ingest logs that contain the process GUID, process name, and parent process.
  Additionally, you must ingest complete command-line executions. These logs must
  be processed using the appropriate Splunk Technology Add-ons that are specific to
  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
  data model. Use the Splunk Common Information Model (CIM) to normalize the field
  names and speed up the data modeling process.
known_false_positives: False positives may be present, filter on DLL name or parent
  process.
references:
- https://attack.mitre.org/techniques/T1218/013/
- https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-1---mavinject---inject-dll-into-running-process
tags:
  analytic_story:
  - Living Off The Land
  asset_type: Endpoint
  confidence: 70
  impact: 70
  message: An instance of $parent_process_name$ spawning $process_name$ was identified
    on endpoint $dest$ by user $user$ attempting load a DLL.
  mitre_attack_id:
  - T1218.013
  - T1218
  observable:
  - name: user
    type: User
    role:
    - Victim
  - name: dest
    type: Hostname
    role:
    - Victim
  - name: parent_process_name
    type: Process Name
    role:
    - Parent Process
  - name: process_name
    type: Process
    role:
    - Child Process
  product:
  - Splunk Enterprise
  - Splunk Enterprise Security
  - Splunk Cloud
  required_fields:
  - _time
  - Processes.dest
  - Processes.user
  - Processes.parent_process_name
  - Processes.parent_process
  - Processes.original_file_name
  - Processes.process_name
  - Processes.process
  - Processes.process_id
  - Processes.parent_process_path
  - Processes.process_path
  - Processes.parent_process_id
  risk_score: 49
  security_domain: endpoint
tests:
- name: True Positive Test
  attack_data:
  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.013/atomic_red_team/windows-sysmon.log
    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
    sourcetype: xmlwineventlog
    update_timestamp: true