Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific.
More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
PR.PS-05.02 | Mobile code prevention | Mitigates | T1055 | Process Injection |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
References
|
PR.AA-05.02 | Privileged system access | Mitigates | T1055 | Process Injection |
Comments
This diagnostic statement protects against Process Injection through the use of privileged account management and the use of multi-factor authentication.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
CM-06 | Configuration Settings | mitigates | T1055 | Process Injection | |
CM-05 | Access Restrictions for Change | mitigates | T1055 | Process Injection | |
SC-18 | Mobile Code | mitigates | T1055 | Process Injection | |
SI-02 | Flaw Remediation | mitigates | T1055 | Process Injection | |
SI-03 | Malicious Code Protection | mitigates | T1055 | Process Injection | |
IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1055 | Process Injection | |
SI-04 | System Monitoring | mitigates | T1055 | Process Injection | |
AC-02 | Account Management | mitigates | T1055 | Process Injection | |
AC-03 | Access Enforcement | mitigates | T1055 | Process Injection | |
AC-05 | Separation of Duties | mitigates | T1055 | Process Injection | |
AC-06 | Least Privilege | mitigates | T1055 | Process Injection | |
SC-07 | Boundary Protection | mitigates | T1055 | Process Injection |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
CVE-2025-31324 | SAP NetWeaver Unrestricted File Upload Vulnerability | exploitation_technique | T1055 | Process Injection |
Comments
Attackers have exploited this SAP vulnerability to achieve remote code execution on the target system by sending malicious ZIP files to specific server endpoints. This can be done either through use of a single command or by uploading a web shell.
References
|
CVE-2025-25257 | Fortinet FortiWeb SQL Injection Vulnerability | exploitation_technique | T1055 | Process Injection |
Comments
Affected versions of FortiWeb contain insufficient input sanitization, allowing for an attacker to use SQL injection to write a malicious .pth file to the into FortiWeb's site-packages Python directory. This allows the malicious code to execute using the privileges granted to Python scripts in that high-level directory.
References
|
CVE-2025-25181 | Advantive VeraCore SQL Injection Vulnerability | exploitation_technique | T1055 | Process Injection |
Comments
This vulnerability exists in the timeoutwarning.asp file in VeraCore versions up to 2025.1.0 and allows an attacker to execute commands due to a lack of proper input sanitization, leading to effects such as privilege escalation and data destruction.
References
|
CVE-2020-29574 | CyberoamOS (CROS) SQL Injection Vulnerability | exploitation_technique | T1055 | Process Injection |
Comments
Due to an improper sanitization flaw in the web-based CyberRoam WebAdmin administrative panel, an attacker with network access can use SQL injection to execute commands remotely.
References
|
CVE-2024-58136 | Yiiframework Yii Improper Protection of Alternate Path Vulnerability | exploitation_technique | T1055 | Process Injection |
Comments
The Yii2 PHP framework, prior to version 2.0.52, contains an improper validation flaw that allows an attacker to input arbitrary PHP classes to a JSON file, which will then be instantiated and executed. This can lead to remote code execution and server-side request forgery, among other potential impacts.
References
|
CVE-2025-21480 | Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability | exploitation_technique | T1055 | Process Injection | |
CVE-2024-6047 | GeoVision Devices OS Command Injection Vulnerability | exploitation_technique | T1055 | Process Injection |
Comments
End-of-life GeoVision IoT devices contain improper input filtering, allowing for commands to be injected into the szSrvIpAddr parameter of the /DateSetting.cgi endpoint. Exploiting this vulnerability can allow remote code execution on the system.
References
|
CVE-2024-50603 | Aviatrix Controllers OS Command Injection Vulnerability | exploitation_technique | T1055 | Process Injection |
Comments
Due to improper handling of user input, an attacker can insert shell metacharacters into specific parameters, permitting the execution of arbitrary commands.
References
|
CVE-2025-1316 | Edimax IC-7100 IP Camera OS Command Injection Vulnerability | primary_impact | T1055 | Process Injection | |
CVE-2024-40891 | Zyxel DSL CPE OS Command Injection Vulnerability | exploitation_technique | T1055 | Process Injection |
Comments
Zyxel CPE devices contain a Telnet interface that fails to properly sanitize input containing special characters, which facilitates code execution that can lead to data exfiltration, network infiltration, and total system compromise.
References
|
CVE-2024-40890 | Zyxel DSL CPE OS Command Injection Vulnerability | exploitation_technique | T1055 | Process Injection |
Comments
Zyxel CPE contain an HTTP-based vulnerability that facilitates code execution that can lead to data exfiltration, network infiltration, and total system compromise. No public proof-of-concept exists for this exploit, and Zyxel has no intention of patching the vulnerability since the devices affected are end-of-life.
References
|
CVE-2025-24993 | Microsoft Windows NTFS Heap-Based Buffer Overflow Vulnerability | primary_impact | T1055 | Process Injection |
Comments
This heap-based buffer overflow vulnerability in Windows NTFS allows an attacker to elevate to SYSTEM-level privileges. This vulnerability can be exploited via malicious virtual hard disk (VHD) files that can be mounted by a system user, leading to code execution.
References
|
CVE-2025-21418 | Microsoft Windows Ancillary Function Driver for WinSock Heap-Based Buffer Overflow Vulnerability | primary_impact | T1055 | Process Injection |
Comments
Exploiting this buffer overflow vulnerability could lead to an adversary gaining elevated privileges on the machine, leading to the potential for process injection using malicious code, as well as data loss.
References
|
CVE-2025-0282 | Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability | primary_impact | T1055 | Process Injection |
Comments
This vulnerability in Ivanti products is version-specific, requiring any reconaissance efforts to return the exact version before exploiting. If exploited, attackers may gain the ability to execute arbitrary code and harvest credentials from the compromised device. Additionally, they may perform internal reconaissance to find additional devices on the network to compromise.
References
|
CVE-2025-22224 | VMware ESXi and Workstation TOCTOU Race Condition Vulnerability | exploitation_technique | T1055 | Process Injection |
Comments
By exploiting the TOCTOU vulnerability in VMWare ESXi, Workstation, and Fusion, an attacker with local admin privileges can execute code in the VMX process on the host, in effect, functioning as an escape from the virtual machine to the host system.
References
|
CVE-2025-0108 | Palo Alto Networks PAN-OS Authentication Bypass Vulnerability | primary_impact | T1055 | Process Injection |
Comments
This exploit is part of a chain of exploits (with CVE-2025-0108 and CVE-2024-9474) that can end with an attacker gaining root access to the system. This vulnerability allows the attacker to bypass authentication using the PAN-OS web management interface, as well as invoke PHP scripts. The attacker can also use their newfound privileged access to reconfigure the firewall, allowing for backdoors to be created.
References
|
CVE-2023-6548 | Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability | exploitation_technique | T1055 | Process Injection |
Comments
This vulnerability allows for authenticated (low-privilege) remote code execution via code injection.
References
|
CVE-2024-56145 | Craft CMS Code Injection Vulnerability | exploitation_technique | T1055 | Process Injection |
Comments
This vulnerability, which is dependent on the PHP configuration setting, "register_argc_argv" being enabled, can allow an attacker to craft a malicious HTTP request that CMS can process as legitimate, leading to remote code execution and, potentially, full system compromise.
References
|
CVE-2023-34192 | Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability | exploitation_technique | T1055 | Process Injection |
Comments
The /h/autoSaveDraft function in Zimbra Collaboration Suite can be targeted by an authenticated attacker's malicious scripts, facilitating arbitrary code execution, as well as session cookie theft.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.malware.variety.In-memory | (malware never stored to persistent storage) | related-to | T1055 | Process Injection |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
microsoft_sentinel | Microsoft Sentinel | technique_scores | T1055 | Process Injection |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which contains multiple modules for injecting into processes, but does not address other procedures.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1055 | Process Injection |
Comments
This control's Fileless Attack Detection covers all relevant sub-techniques. Detection is periodic at an unknown rate.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | technique_scores | T1055 | Process Injection |
Comments
This control's Fileless Attack Detection covers all relevant sub-techniques. The control also specifically detects process hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
google_secops | Google Security Operations | technique_scores | T1055 | Process Injection |
Comments
Google Security Ops can trigger an alert based on suspicious running processes that could be used to evade defenses and escalate privileges. (e.g., directory traversal attempts via attachment downloads).
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/mavinject_process_injection.yaral
References
|
Technique ID | Technique Name | Number of Mappings |
---|---|---|
T1055.011 | Extra Window Memory Injection | 9 |
T1055.003 | Thread Execution Hijacking | 9 |
T1055.013 | Process Doppelgänging | 9 |
T1055.004 | Asynchronous Procedure Call | 10 |
T1055.002 | Portable Executable Injection | 10 |
T1055.014 | VDSO Hijacking | 9 |
T1055.012 | Process Hollowing | 10 |
T1055.009 | Proc Memory | 11 |
T1055.005 | Thread Local Storage | 9 |
T1055.008 | Ptrace System Calls | 15 |
T1055.015 | ListPlanting | 3 |
T1055.001 | Dynamic-link Library Injection | 10 |