DLL Injection - veramine/Detections GitHub Wiki
DLL injection is used to run code in the context of another process by causing the other process to load and execute code. Running code in the context of another process provides adversaries many benefits, such as access to the process's memory and permissions. It also allows adversaries to mask their actions under a legitimate process. A more sophisticated kind of DLL injection, reflective DLL injection, loads code without calling the normal Windows API calls, potentially bypassing DLL load monitoring. Numerous methods of DLL injection exist on Windows, including modifying the Registry, creating remote threads, Windows hooking APIs, and DLL pre-loading. You can read more about this tactic at https://attack.mitre.org/wiki/Technique/T1055.
The Veramine detection engine reports several different types of DLL injection. Here's an example of a malicious process running as a normal user creating a remote thread in a safe process in an attempt to avoid detection:
Here's an example of an elevated credential dumping tool starting a remote thread in lsass to access password hashes:
Here's an example of an attacker launching a trusted, signed process from a directory where they had placed a malicious DLL to be loaded:
The Veramine detection engine is able to detect these and several additional types of DLL injection situations by processing the wealth of low level information sent by the Veramine sensor.