T1055: Process Injection
| View on MITRE ATT&CK | T1055 |
|---|---|
| Tactic(s) | Defense Evasion, Privilege Escalation |
| Associated CAPEC Patterns | Root/Jailbreak Detection Evasion via Hooking (CAPEC-660) , Local Code Inclusion (CAPEC-251) |
Data from MITRE ATT&CK®:
Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific.
More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally
This Cybersecurity Advisory by CISA with US and international partners outlines activity which they link to APT29 (also known as The Dukes, Cozy ...
ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices
This blog post from Cisco Talos discusses ArcaneDoor, an espionage-focused campaign targeting perimeter network devices, which are crucial for ...
From OneNote to RansomNote: An Ice Cold Intrusion
This case report from The DFIR Report describes an intrusion which started with a malicious OneNote attachment. Opening the OneNote file led to ...
The Updated APT Playbook: Tales from the Kimsuky threat actor group
This article by researchers at Rapid7 discusses recent activity by North Korean intrusion set 'Kimsuky'. Kimsuky is primarily focused on ...
Mitigations for this technique
MITRE ATT&CK Mitigations
Behavior Prevention on Endpoint
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.Privileged Account Management
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.How to detect this technique
MITRE ATT&CK Data Components
Process Access (Process)
Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)Process Modification (Process)
Changes made to a process, or its contents, typically to write and/or execute code in the memory of the target process (ex: Sysmon EID 8)Module Load (Module)
Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)OS API Execution (Process)
Operating system function/method calls executed by a processFile Metadata (File)
Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.Process Metadata (Process)
Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.File Modification (File)
Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Process Injection with Go using EtwpCreateEtwThread WinAPI
Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)
Read-Write-Execute process Injection
Remote Process Injection with Go using RtlCreateUserThread WinAPI
Remote Process Injection in LSASS via mimikatz
Process Injection with Go using CreateThread WinAPI (Natively)
Shellcode execution via VBA
Remote Process Injection with Go using CreateRemoteThread WinAPI
UUID custom process Injection
Process Injection with Go using UuidFromStringA WinAPI
Process Injection with Go using CreateThread WinAPI
Dirty Vanity process Injection
Section View Injection
Sigma Detections for this Technique
Potential Shellcode Injection
Potential Process Injection Via Msra.EXE
Suspicious Child Process Of Wermgr.EXE
CobaltStrike Named Pipe Pattern Regex
HackTool - EfsPotato Named Pipe Creation
Network Connection Initiated Via Notepad.EXE
Malicious Named Pipe Created
Suspicious Userinit Child Process
DotNet CLR DLL Loaded By Scripting Applications
HackTool - DInjector PowerShell Cradle Execution
Created Files by Microsoft Sync Center
Suspicious Rundll32 Invoking Inline VBScript
Dllhost.EXE Execution Anomaly
Rare Remote Thread Creation By Uncommon Source Image
CobaltStrike Named Pipe Patterns
HackTool - CoercedPotato Named Pipe Creation
Suspect Svchost Activity
HackTool - CoercedPotato Execution
Microsoft Sync Center Suspicious Network Connections
Remote Thread Creation By Uncommon Source Image
PowerShell ShellCode
Potential DLL Sideloading Using Coregen.exe
Process Creation Using Sysnative Folder
CobaltStrike Named Pipe
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.