*Module Overloading /Phantom DLL Injection: Totally Undetected by Defender for Endpoint* Our automation has noticed an interesting signature (NtCreateSection + SEC_IMAGE) trend over the last 12 months. Offensive Security Tools are leveraging a type of process hollowing called Module Overloading, or Phantom DLL Injection which have OpSec advantages like using a payload with legitimate file backed memory; in this case a Microsoft signed module (BingOnlineServices.dll). Another operator advantage is negating the use of classic +RWX memory protections, instead assuming the protections of the legitimate dll. Below you can find some OST’s we are tracking that leverage the NtCreateSection API call + SEC_IMAGE flag.
Blog Post: https://www.forrest-orr.net/post/malicious-memory-artifacts-part-i-dll-hollowing
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam