*Module Overloading /Phantom DLL Injection: Totally Undetected by Defender for Endpoint* Our automation has noticed an interesting signature (NtCreateSection + SEC_IMAGE) trend over the last 12 months. Offensive Security Tools are leveraging a type of process hollowing called Module Overloading, or Phantom DLL Injection which have OpSec advantages like using a payload with legitimate file backed memory; in this case a Microsoft signed module (BingOnlineServices.dll). Another operator advantage is negating the use of classic +RWX memory protections, instead assuming the protections of the legitimate dll. Below you can find some OST’s we are tracking that leverage the NtCreateSection API call + SEC_IMAGE flag. process_ghosting: https://github.com/hasherezade/process_ghosting process_doppelganging: https://github.com/hasherezade/process_doppelganging phantom-dll-hollower-poc: https://github.com/forrest-orr/phantom-dll-hollower-poc DInvoke: https://github.com/TheWover/DInvoke Blog Post: https://www.forrest-orr.net/post/malicious-memory-artifacts-part-i-dll-hollowing #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam |