Full Report
Research by: hasherezade Key Points Introduction Process injection is one of the important techniques used by attackers. We can find its variants implemented in almost every malware. It serves purposes such as: In our previous blog on process injections we explained the foundations of this topic and basic ideas behind detection and prevention. We also proposed a new technique dubbed Thread […] The post Waiting Thread Hijacking: A Stealthier Version of Thread Execution Hijacking appeared first on Check Point Research.
Analysis Summary
# Tool/Technique: Waiting Thread Hijacking (WTH)
## Overview
Waiting Thread Hijacking (WTH) is a stealthier evolution of classic Thread Hijacking, designed to achieve stealthy process injection and remote code execution by misusing the flow of a waiting thread within a target process. It is crafted to evade common Endpoint Detection and Response (EDR) monitoring by avoiding highly alerted APIs like `SuspendThread`, `ResumeThread`, and `SetThreadContext`.
## Technical Details
- Type: Technique (Process Injection Variant)
- Platform: Windows (Implied targeting 64-bit processes at medium integrity)
- Capabilities: Stealthy remote code execution via hijacking a waiting thread's execution flow, involving allocation, writing, and execution steps without suspicious APIs.
- First Seen: Not explicitly stated, but presented as "current research" building upon previous work like Thread Name-Calling.
## MITRE ATT&CK Mapping
- [T1055 - Process Injection]
- [T1055.003 - Thread Hijacking] (WTH is described as an evolution of this)
## Functionality
### Core Capabilities
- **Remote Code Execution:** Forces a remote thread to execute injected payload code.
- **Defense Evasion:** Avoids using highly monitored APIs associated with traditional thread hijacking (`SuspendThread`, `ResumeThread`, `SetThreadContext`).
- **Memory Primitives:** Utilizes standard allocation and write primitives (`VirtualAllocEx`, `WriteProcessMemory`) combined with unexpected execution flow alteration.
### Advanced Features
- **API Obfuscation:** The technique allows for obfuscating the sequence of APIs called to tamper with behavioral signatures used by security products.
- **Targeted Handle Access:** Uses specific, potentially less scrutinized handle access rights: `PROCESS_VM_OPERATION`, `PROCESS_VM_READ`, `PROCESS_VM_WRITE` for the process, and `THREAD_GET_CONTEXT` for the thread.
## Indicators of Compromise
- **File Hashes:** N/A (Focus is on memory and API use)
- **File Names:** N/A (Focus is on memory and API use)
- **Registry Keys:** N/A
- **Network Indicators:** N/A
- **Behavioral Indicators:**
- Use of the following legitimate APIs in sequence to facilitate injection:
- `NtQuerySystemInformation` (with `SystemProcessInformation` parameter)
- `GetThreadContext`
- `ReadProcessMemory`
- `VirtualAllocEx`
- `WriteProcessMemory`
- `VirtualProtectEx`
- Interception and misuse of a waiting thread's flow for code execution.
## Associated Threat Actors
- Not explicitly named, associated with attackers/red teamers seeking stealthy code injection.
## Detection Methods
- **Signature-based detection:** Defeated by obfuscating the API call sequence.
- **Behavioral detection:** Security products must monitor for the specific combination of memory allocation/write primitives immediately followed by context manipulation or redirection of a waiting thread, specifically avoiding known alerting functions.
- **YARA rules:** N/A
## Mitigation Strategies
- **Prevention measures:** Implement strong monitoring checks for API sequences that lead to context alteration or execution redirection, especially on threads that are only waiting.
- **Hardening recommendations:** Monitor for target handle requests lacking write access (which can sometimes be a tell), but acknowledge that WTH requires specific handle access for success. Focus on monitoring unusual execution flow redirection in threads lacking recent activity.
## Related Tools/Techniques
- Thread Execution Hijacking (General category)
- Thread Name-Calling (Previous technique exploiting the Thread Name API)
- Classic Thread Hijacking (T1055.003)
- APC Injection (T1055.004)
- Remote Thread Creation
- Direct manipulation of thread context (`GetThreadContext`/`SetThreadContext`)