Mastering Mockingjay: Advanced Process Injection for EDR Evasion

Listen to this Post

Featured Image

Introduction:

Mockingjay (EarlyBird Injection) is a sophisticated process injection technique leveraging the Windows API `QueueUserAPC` to execute shellcode in suspended legitimate processes before EDR hooks initialize. This evasion method exploits gaps in defensive monitoring of asynchronous procedure calls (APCs), enabling stealthy code execution in red team operations.

Learning Objectives:

  • Understand the workflow of Mockingjay injection.
  • Implement shellcode injection using suspended processes and APCs.
  • Configure detection rules for Sysmon and EDR correlation.

1. Creating a Suspended Process

Command:

Start-Process -FilePath "C:\Windows\System32\wmiprvse.exe" -ArgumentList "-s" -WindowStyle Hidden -Suspended

Step-by-Step Guide:

  1. Launch `wmiprvse.exe` (a trusted Windows process) in a suspended state (-Suspended flag).

2. The `-WindowStyle Hidden` ensures no visible UI.

  1. This creates a “clean” process environment before EDRs load defensive DLLs.

2. Allocating Memory and Injecting Shellcode

Command (WinAPI):

VirtualAllocEx(hProcess, NULL, shellcodeSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProcess, allocatedMem, shellcode, shellcodeSize, NULL);

Step-by-Step Guide:

  1. Use `VirtualAllocEx` to allocate memory in the target process (hProcess).

2. Set permissions to `PAGE_EXECUTE_READWRITE` for shellcode execution.

  1. Write shellcode (e.g., Meterpreter payload) into the allocated space via WriteProcessMemory.

3. Queueing an APC to Execute Shellcode

Command:

QueueUserAPC((PAPCFUNC)allocatedMem, hThread, NULL);

Step-by-Step Guide:

  1. Retrieve the suspended thread handle (hThread) of the target process.
  2. Call QueueUserAPC, pointing to the shellcode address (allocatedMem).
  3. The APC queues the shellcode to run when the thread resumes.

4. Resuming Thread Execution

Command:

ResumeThread(hThread);

Step-by-Step Guide:

1. Execute `ResumeThread` on the suspended thread.

  1. The thread triggers the APC, running the shellcode before the process’s entry point.
  2. EDR hooks (e.g., Microsoft Defender/AMSI) are bypassed as they initialize post-entry.
    1. Sysmon Detection via Event ID 8 & 10

Sysmon Config Snippet:

<RuleGroup name="EarlyBird Injection Detection"> 
<ProcessCreate onmatch="include"> 
<CommandLine condition="contains">-s</CommandLine> 
</ProcessCreate> 
<ThreadCreate onmatch="exclude"> 
<StartAddress condition="is">0x0</StartAddress> 
</ThreadCreate> 
</RuleGroup>

Step-by-Step Guide:

  1. Monitor `Event ID 8` (CreateRemoteThread) and `ID 10` (ProcessAccess) for suspicious memory operations.
  2. Correlate `ResumeThread` calls on newly created suspended processes.
  3. Alert on `QueueUserAPC` usage in non-interactive processes (e.g., wmiprvse.exe).

6. EDR Bypass Analysis

Why It Evades CrowdStrike/SentinelOne:

  • EDRs often hook `NtResumeThread` but not early-stage APCs.
  • Legitimate processes (e.g., wmiprvse.exe) reduce suspicion.
  • Shellcode runs pre-initialization, avoiding inline hooks.

7. Mitigation Strategies

Countermeasures:

1. Restrict Process Creation:

Set-ProcessMitigation -Policy BlockUntrustedFonts, DisableWin32kSystemCalls 

2. Monitor APC Queues:

Sysmon -i -accepteula -nologo

With custom rules for `QueueUserAPC` in child processes.

3. Enable Kernel Callbacks:

Configure EDRs to inspect `PsSetLoadImageNotifyRoutine` for early-stage DLL loads.

What Undercode Say:

Key Takeaways:

  1. Effectiveness: Mockingjay exploits a fundamental gap in EDR architecture—delayed hook initialization—making it persistently viable in 2025.
  2. Detection Complexity: Reliable identification requires kernel-level telemetry (e.g., ETW) correlating APC calls with thread resumption timestamps.

Analysis:

While Sysmon rules (Events 8/10) offer partial visibility, advanced EDRs must instrument `NtQueueApcThreadEx` and monitor thread state transitions. The technique’s reliance on trusted processes (e.g., wmiprvse.exe) complicates behavioral blocking. Future defenses will likely integrate machine learning to flag anomalous APC patterns pre-execution, but attackers may counter by targeting lesser-monitored processes (e.g., svchost.exe). For red teams, Mockingjay remains a high-reward method for initial access; for blue teams, granular process lineage tracking is non-negotiable.

IT/Security Reporter URL:

Reported By: Jeremy Erazo – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin