Security News > 2023 > June > New Mockingjay process injection technique evades EDR detection
A new process injection technique named 'Mockingjay' could allow threat actors to bypass EDR and other security products to stealthily execute malicious code on compromised systems.
Process injection is a method of executing arbitrary code in the address space of another running process that is trusted by the operating system, hence giving threat actors the ability to run malicious code without being detected.
Examples of process injection techniques include DLL injection, PE injection, reflective DLL injection, thread execution hijacking, process hollowing, mapping injection, APC injection, and others.
Next, the team developed two injection methods, one for self-injection and one for remote process injection.
Tests showed that this remote injection attack, which doesn't require creating a new thread within the target process, allocating memory, or setting permissions, successfully evades EDR solutions.
EDRs commonly monitor APIs such as 'WriteProcessMemory,' 'NtWriteVirtualMemory,' 'CreateRemoteThread,' or 'NtCreateThreadEx,' which are more commonly invoked in traditional process injection attacks.