An adversary hijacks a privileged thread of execution by injecting malicious code into a running process. By using a privleged thread to do their bidding, adversaries can evade process-based detection that would stop an attack that creates a new process. This can lead to an adversary gaining access to the process's memory and can also enable elevated privileges. The most common way to perform this attack is by suspending an existing thread and manipulating its memory.
Description
Attack Execution Flow
4
1
Step 1
Explore[Determine target thread] The adversary determines the underlying system thread that is subject to user-control
AI Translation
[Determina il thread di destinazione] L'avversario identifica il thread di sistema sottostante soggetto a controllo dell'utente
2
Step 2
Experiment[Gain handle to thread] The adversary then gains a handle to a process thread.
Use the 'OpenThread' API call in Windows on a known thread.
Cause an exception in a java privileged block public function and catch it, or catch a normal signal. The thread is then hanging and the adversary can attempt to gain a handle to it.
AI Translation
[Ottenere un handle al thread] L'attaccante ottiene quindi un handle a un thread di processo.
Utilizzare la chiamata API "OpenThread" in Windows su un thread noto.
Generare un'eccezione in un blocco privilegiato Java, come una funzione pubblica, e catturarla, o catturare un segnale normale. Il thread rimane così in attesa e l'attaccante può tentare di ottenere un handle su di esso.
Attack Techniques
-
Cause an exception in a java privileged block public function and catch it, or catch a normal signal. The thread is then hanging and the adversary can attempt to gain a handle to it.
-
Use the "OpenThread" API call in Windows on a known thread.IT: Generare un'eccezione in un blocco privilegiato Java, pubblica funzione, e catturarla, oppure catturare un segnale normale. Il thread si blocca quindi e l'avversario può tentare di ottenere un riferimento ad esso.
3
Step 3
Experiment[Alter process memory] Once the adversary has a handle to the target thread, they will suspend the thread and alter the memory using native OS calls.
On Windows, use 'SuspendThread' followed by 'VirtualAllocEx', 'WriteProcessMemory', and 'SetThreadContext'.
AI Translation
[Alterare la memoria del processo] Una volta che l'avversario ha un handle sul thread target, sospenderà il thread e modificherà la memoria utilizzando chiamate native del sistema operativo.
Su Windows, utilizzare "SuspendThread" seguito da "VirtualAllocEx", "WriteProcessMemory" e "SetThreadContext".
Attack Techniques
-
On Windows, use "SuspendThread" followed by "VirtualAllocEx", "WriteProcessMemory", and "SetThreadContext".
4
Step 4
Exploit[Resume thread execution] Once the process memory has been altered to execute malicious code, the thread is then resumed.
On Windows, use 'ResumeThread'.
AI Translation
[Riprendi l'esecuzione del thread] Una volta che la memoria del processo è stata modificata per eseguire codice dannoso, il thread viene quindi ripreso.
Su Windows, utilizzare "ResumeThread".
Attack Techniques
-
On Windows, use "ResumeThread".
Mitigations
2
Application Architects Must Be Careful To Design Callback, Signal, And Similar Asynchronous Constructs Such That They Shed Excess Privilege Prior To Handing Control To User-Written (Thus Untrusted) Code.
Application Architects Must Be Careful To Design Privileged Code Blocks Such That Upon Return (Successful, Failed, Or Unpredicted) That Privilege Is Shed Prior To Leaving The Block/Scope.
Consequences
Security Scopes Affected
Access Control
Authorization
Availability
Confidentiality
Integrity
Potential Impacts
Execute Unauthorized Commands
Gain Privileges
Relationships
Parent CAPECs
Related ATT&CK Techniques
1
T1055.003
Thread Execution Hijacking
Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. …
Resources Required
1
None: No specialized resources are required to execute this type of attack. The adversary needs to be able to latch onto a privileged thread.
The adversary does, however, need to be able to program, compile, and link to the victim binaries being executed so that it will turn control of a privileged thread over to the adversary's malicious code. This is the case even if the adversary conducts the attack remotely.