"New Mockingjay Process Injection Technique Evades EDR Detection"

A new process injection technique called "Mockingjay" may enable threat actors to evade Endpoint Detection and Response (EDR) and other security products in order to secretly execute malicious code on compromised systems. Researchers at the cybersecurity company Security Joes discovered the technique, which uses legitimate DLLs with read, write, and execute sections to bypass EDR hooks and inject code into remote processes. Process injection is a technique for executing arbitrary code in the address space of another running process trusted by the operating system, giving threat actors the ability to run malicious code without being detected. Examples of process injection techniques include DLL injection, PE injection, reflective DLL injection, thread execution hijacking, process hollowing, mapping injection, and more. All these methods require using Windows Application Programming Interfaces (APIs) and different system calls, creating processes/threads, and writing process memory. Mockingjay distinguishes itself from other methods because it does not use commonly abused Windows API calls, set special permissions, perform memory allocation, or even start a thread, thus removing many potential detection opportunities. This article continues to discuss findings regarding the new Mockingjay process injection method. 

Bleeping Computer reports "New Mockingjay Process Injection Technique Evades EDR Detection"