Question 1: An attacker creates a legitimate Windows process in a suspended state, unmaps its executable code from memory, writes malicious code into the emptied process memory space, and resumes the process. Task manager shows a legitimate-looking process name and file path. Which injection technique is this?
Question 2: Which of the following injection techniques does NOT leave a malicious executable file on disk as an artifact?
Question 3: An organization wants to protect LSASS credentials even if an attacker gains SYSTEM-level privileges on a Windows 10 Enterprise machine. Which technology achieves this?
Question 4: Which memory protection technique randomizes the base addresses of DLLs and the stack and heap at each boot, defeating hardcoded-address exploits and ROP chains?
Question 5: A threat actor uses a phishing email with a malicious macro to trigger PowerShell, which downloads a CobaltStrike Beacon payload directly into memory and injects it into explorer.exe β never writing any files to disk. This attack is BEST described as:
Matching: Windows API Roles in DLL Injection
Match each Windows API call to its specific role in the DLL injection sequence.
API CALL
ROLE IN DLL INJECTION
Analysis Question
A threat hunter finds that a workstation's svchost.exe is making sustained outbound HTTPS connections to an unfamiliar external IP. The svchost.exe file on disk passes all integrity checks. No new files have been created on the system. No new processes appear in the process list beyond the expected svchost instances. What likely occurred and how would you investigate?
What likely occurred: Process hollowing or reflective DLL injection β malicious code is running inside svchost.exe while the on-disk file is legitimate and unchanged. The absence of new files and new processes is consistent with a memory-only attack. The anomalous outbound HTTPS connections indicate the injected code is a C2 beacon communicating with an attacker's infrastructure.
Why the disk is clean: Process hollowing replaces the in-memory executable sections without modifying the disk file. Reflective DLL injection loads a DLL entirely from memory with no disk write. Both techniques are specifically designed to pass file-based checks.
Investigation steps:
(1) Memory acquisition first β before any reboot. Use Magnet RAM Capture, DumpIt, or WinPmem to acquire a full physical memory image. Rebooting destroys all evidence. This is the single most important step.
(2) Volatility analysis of the memory image: Run the malfind plugin to identify memory regions with anomalous permission combinations (RWX β read-write-execute) and PE header signatures at non-standard addresses. Run dlllist to identify any DLLs loaded at addresses not matching expected module load points. Run netscan to map network connections to specific processes and verify the svchost instance responsible for the HTTPS connections.
(3) Compare in-memory code to on-disk executable: Extract the code sections from the svchost.exe memory image and compare their hash to the on-disk svchost.exe binary. A mismatch is definitive evidence of process hollowing. Tools: Process Hacker (live), Volatility procdump (from memory image).
(4) Parent process analysis: svchost.exe should always be a child of services.exe. An svchost.exe with any other parent process is suspicious. Check both live (Process Explorer) and in the memory image (Volatility pstree).
(5) Check for injected memory regions with RWX permissions: Injected shellcode and reflective DLLs often exist in memory regions with read-write-execute permissions simultaneously β a combination that is highly unusual for legitimate code.
(6) Analyze the network connection: Extract the external IP from memory or EDR logs, perform passive DNS and threat intelligence lookups, and check if the connection pattern (periodic check-ins, beaconing behavior) is consistent with C2 activity.
(7) Review EDR telemetry: Look for VirtualAllocEx, WriteProcessMemory, or SetThreadContext calls targeting the svchost PID in the time window before the anomalous connections began. The injection event itself may be logged even if its result (the injected code) is memory-only.
Evaluation Question
"DEP alone is sufficient to prevent memory injection attacks." Evaluate this statement.
What DEP does: DEP marks data memory regions (stack, heap, data segments) as non-executable using the CPU's NX bit. If an attacker injects shellcode into stack or heap memory, the CPU raises an exception when that code is executed, preventing it from running. This defeats the simplest form of shellcode injection: write shellcode to stack β jump to stack β execute shellcode.
Why DEP is insufficient:
(1) ROP (Return-Oriented Programming) bypasses DEP entirely. ROP chains do not inject new executable code β they reuse small "gadget" sequences already present in legitimate, executable DLL memory. The attacker chains these gadgets (each ending in a RET instruction) to achieve arbitrary computation without ever executing code from a data region. DEP provides zero protection against ROP because all the code being executed is already in executable regions that DEP doesn't touch. This is the primary real-world bypass and is used in virtually all modern exploits.
(2) Reflective DLL injection maps the DLL into executable memory. The reflective loader allocates the injected DLL's code sections with EXECUTE permissions β the memory region where the injected code runs IS executable. DEP only blocks code in data regions; it has no relevance to memory that is intentionally allocated as executable. Reflective injection specifically allocates executable memory for this reason.
(3) Process hollowing writes code into a code region. When an attacker hollows a process and writes their payload into the emptied code sections, those sections remain marked executable (because they were originally the process's code). DEP protects data regions, not code regions β which are intentionally executable. The hollowed payload runs in what the OS considers a legitimate executable region.
(4) DLL injection loads a DLL into executable memory. Windows loads DLLs into code memory with execute permissions. Standard DLL injection causes Windows' own LoadLibrary to load the attacker's DLL β into memory that is correctly marked executable. DEP has no role in stopping this.
What is sufficient: Defense requires DEP + ASLR (ASLR randomizes gadget addresses, defeating ROP; together they force attackers toward information leaks and significantly more complex exploitation chains) + CFG (limits indirect control flow hijacking) + behavioral EDR (detects injection API sequences regardless of memory protection state) + Credential Guard (protects the credential targets even if injection succeeds). No single control is sufficient; the combination creates genuine defense in depth.