PrependMigrate in Veil

PrependMigrate is a technique where a payload, immediately upon execution, migrates its code into another running process. The purpose is to move execution out of the initial payload binary and into a legitimate process, making detection harder for security tools that focus on the originating process.

From a defensive perspective, understanding PrependMigrate is valuable because it represents a category of process injection that occurs at the very beginning of payload execution — before the defensive team even has a chance to analyze the initial process.

How PrependMigrate Works

The technique follows a predictable sequence:

1. Initial execution — The payload starts in its own process
2. Target selection — The payload identifies a suitable host process (often a long-running, legitimate process like explorer.exe or svchost.exe)
3. Memory allocation — The payload allocates memory in the target process with execute permissions
4. Code injection — The payload writes its code into the allocated memory
5. Execution transfer — A remote thread is created in the target process to execute the injected code
6. Cleanup — The original payload process may exit, leaving only the injected code running in the legitimate process

Detection Strategies

Despite the technique's evasion intent, PrependMigrate creates detectable artifacts:

Process Creation and Injection Events

• Sysmon Event ID 1 — Captures the initial payload process creation
• Sysmon Event ID 8 — CreateRemoteThread detection, which fires when the payload creates a thread in the target process
• Sysmon Event ID 10 — Process access events showing cross-process memory operations

Memory Analysis

• Unbacked memory regions — Code running from memory that does not map to a file on disk
• RWX memory pages — Memory regions with read-write-execute permissions are rare in legitimate processes
• Thread start addresses — Threads starting from non-module addresses indicate injection

Behavioral Indicators

• Short-lived processes — A process that starts, injects into another process, and exits within seconds
• Parent-child anomalies — Unexpected parent processes for known legitimate programs
• Timing patterns — Injection occurring within milliseconds of process creation

Monitoring Recommendations

For organizations seeking to detect PrependMigrate and similar injection techniques:

1. Deploy Sysmon with comprehensive rules — Ensure Event IDs 1, 8, and 10 are captured with appropriate filtering
2. Monitor for RWX allocations — VirtualAllocEx with PAGE_EXECUTE_READWRITE permission from a remote process
3. Alert on CreateRemoteThread — Legitimate use of this API is rare outside of debuggers and specific development tools
4. Baseline normal process behavior — Know what processes normally create threads in other processes in your environment
5. Implement memory scanning — Periodic scanning for unbacked executable memory in critical processes

Lab Exercise

Testing PrependMigrate detection in your lab:

1. Enable Sysmon with rules covering injection events
2. Generate a payload with PrependMigrate enabled
3. Execute the payload and observe the injection sequence in logs
4. Verify that your SIEM/detection rules fire on the injection events
5. Note the time delta between initial execution and injection — this is your detection window

The detection window for PrependMigrate is typically very small (seconds or less), which means real-time alerting is essential. Batch log processing with delays may miss the correlation between the initial process and the injection event.

Related

• Veil-Evasion — Payload generation module
• Cobalt Strike Beacon Detection — Related C2 detection techniques
• DEP & PyInstaller — Execution prevention mechanisms
• Guides — All available guides