Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process. Thread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced with malicious code or the path to a DLL. A handle to an existing victim process is first created with native Windows API calls such asOpenThread
. At this point the process can be suspended then written to, realigned to the injected code, and resumed viaSuspendThread
,VirtualAllocEx
,WriteProcessMemory
,SetThreadContext
, thenResumeThread
respectively.(Citation: Elastic Process Injection July 2017) This is very similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012) but targets an existing process rather than creating a process in a suspended state. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via Thread Execution Hijacking may also evade detection from security products since the execution is masked under a legitimate process.
This test injects a MessageBox shellcode generated by msfvenom in Notepad.exe using Thread Execution Hijacking. When successful, a message box will appear with the “Atomic Red Team” caption after one or two seconds.
Supported Platforms: Windows
auto_generated_guid: 578025d5-faa9-4f6d-8390-aae527d503e1
1
powershell
!1
2
3
4
$notepad = Start-Process notepad -passthru
Start-Process "$PathToAtomicsFolder\T1055.003\bin\InjectContext.exe"
Start-Sleep -Seconds 5
Stop-Process $notepad.id