T1055 Process Injection

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific.

More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.PS-05.02 Mobile code prevention Mitigates T1055 Process Injection
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
References
    PR.AA-05.02 Privileged system access Mitigates T1055 Process Injection
    Comments
    This diagnostic statement protects against Process Injection through the use of privileged account management and the use of multi-factor authentication.
    References

      NIST 800-53 Mappings

      Known Exploited Vulnerabilities Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      CVE-2025-31324 SAP NetWeaver Unrestricted File Upload Vulnerability exploitation_technique T1055 Process Injection
      Comments
      Attackers have exploited this SAP vulnerability to achieve remote code execution on the target system by sending malicious ZIP files to specific server endpoints. This can be done either through use of a single command or by uploading a web shell.
      References
      CVE-2025-25257 Fortinet FortiWeb SQL Injection Vulnerability exploitation_technique T1055 Process Injection
      Comments
      Affected versions of FortiWeb contain insufficient input sanitization, allowing for an attacker to use SQL injection to write a malicious .pth file to the into FortiWeb's site-packages Python directory. This allows the malicious code to execute using the privileges granted to Python scripts in that high-level directory.
      References
      CVE-2025-25181 Advantive VeraCore SQL Injection Vulnerability exploitation_technique T1055 Process Injection
      Comments
      This vulnerability exists in the timeoutwarning.asp file in VeraCore versions up to 2025.1.0 and allows an attacker to execute commands due to a lack of proper input sanitization, leading to effects such as privilege escalation and data destruction.
      References
      CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability exploitation_technique T1055 Process Injection
      Comments
      Due to an improper sanitization flaw in the web-based CyberRoam WebAdmin administrative panel, an attacker with network access can use SQL injection to execute commands remotely.
      References
      CVE-2024-58136 Yiiframework Yii Improper Protection of Alternate Path Vulnerability exploitation_technique T1055 Process Injection
      Comments
      The Yii2 PHP framework, prior to version 2.0.52, contains an improper validation flaw that allows an attacker to input arbitrary PHP classes to a JSON file, which will then be instantiated and executed. This can lead to remote code execution and server-side request forgery, among other potential impacts.
      References
      CVE-2025-21480 Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability exploitation_technique T1055 Process Injection
      CVE-2024-6047 GeoVision Devices OS Command Injection Vulnerability exploitation_technique T1055 Process Injection
      Comments
      End-of-life GeoVision IoT devices contain improper input filtering, allowing for commands to be injected into the szSrvIpAddr parameter of the /DateSetting.cgi endpoint. Exploiting this vulnerability can allow remote code execution on the system.
      References
      CVE-2024-50603 Aviatrix Controllers OS Command Injection Vulnerability exploitation_technique T1055 Process Injection
      Comments
      Due to improper handling of user input, an attacker can insert shell metacharacters into specific parameters, permitting the execution of arbitrary commands.
      References
      CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability primary_impact T1055 Process Injection
      CVE-2024-40891 Zyxel DSL CPE OS Command Injection Vulnerability exploitation_technique T1055 Process Injection
      Comments
      Zyxel CPE devices contain a Telnet interface that fails to properly sanitize input containing special characters, which facilitates code execution that can lead to data exfiltration, network infiltration, and total system compromise.
      References
      CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability exploitation_technique T1055 Process Injection
      Comments
      Zyxel CPE contain an HTTP-based vulnerability that facilitates code execution that can lead to data exfiltration, network infiltration, and total system compromise. No public proof-of-concept exists for this exploit, and Zyxel has no intention of patching the vulnerability since the devices affected are end-of-life.
      References
      CVE-2025-24993 Microsoft Windows NTFS Heap-Based Buffer Overflow Vulnerability primary_impact T1055 Process Injection
      Comments
      This heap-based buffer overflow vulnerability in Windows NTFS allows an attacker to elevate to SYSTEM-level privileges. This vulnerability can be exploited via malicious virtual hard disk (VHD) files that can be mounted by a system user, leading to code execution.
      References
      CVE-2025-21418 Microsoft Windows Ancillary Function Driver for WinSock Heap-Based Buffer Overflow Vulnerability primary_impact T1055 Process Injection
      Comments
      Exploiting this buffer overflow vulnerability could lead to an adversary gaining elevated privileges on the machine, leading to the potential for process injection using malicious code, as well as data loss.
      References
      CVE-2025-0282 Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability primary_impact T1055 Process Injection
      Comments
      This vulnerability in Ivanti products is version-specific, requiring any reconaissance efforts to return the exact version before exploiting. If exploited, attackers may gain the ability to execute arbitrary code and harvest credentials from the compromised device. Additionally, they may perform internal reconaissance to find additional devices on the network to compromise.
      References
      CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability exploitation_technique T1055 Process Injection
      Comments
      By exploiting the TOCTOU vulnerability in VMWare ESXi, Workstation, and Fusion, an attacker with local admin privileges can execute code in the VMX process on the host, in effect, functioning as an escape from the virtual machine to the host system.
      References
      CVE-2025-0108 Palo Alto Networks PAN-OS Authentication Bypass Vulnerability primary_impact T1055 Process Injection
      Comments
      This exploit is part of a chain of exploits (with CVE-2025-0108 and CVE-2024-9474) that can end with an attacker gaining root access to the system. This vulnerability allows the attacker to bypass authentication using the PAN-OS web management interface, as well as invoke PHP scripts. The attacker can also use their newfound privileged access to reconfigure the firewall, allowing for backdoors to be created.
      References
      CVE-2023-6548 Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability exploitation_technique T1055 Process Injection
      Comments
      This vulnerability allows for authenticated (low-privilege) remote code execution via code injection.
      References
      CVE-2024-56145 Craft CMS Code Injection Vulnerability exploitation_technique T1055 Process Injection
      Comments
      This vulnerability, which is dependent on the PHP configuration setting, "register_argc_argv" being enabled, can allow an attacker to craft a malicious HTTP request that CMS can process as legitimate, leading to remote code execution and, potentially, full system compromise.
      References
      CVE-2023-34192 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability exploitation_technique T1055 Process Injection
      Comments
      The /h/autoSaveDraft function in Zimbra Collaboration Suite can be targeted by an authenticated attacker's malicious scripts, facilitating arbitrary code execution, as well as session cookie theft.
      References

      VERIS Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1055 Process Injection

      Azure Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      microsoft_sentinel Microsoft Sentinel technique_scores T1055 Process Injection
      Comments
      The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which contains multiple modules for injecting into processes, but does not address other procedures.
      References
      alerts_for_windows_machines Alerts for Windows Machines technique_scores T1055 Process Injection
      Comments
      This control's Fileless Attack Detection covers all relevant sub-techniques. Detection is periodic at an unknown rate.
      References
      defender_for_app_service Microsoft Defender for Cloud: Defender for App Service technique_scores T1055 Process Injection
      Comments
      This control's Fileless Attack Detection covers all relevant sub-techniques. The control also specifically detects process hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
      References

      GCP Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      google_secops Google Security Operations technique_scores T1055 Process Injection
      Comments
      Google Security Ops can trigger an alert based on suspicious running processes that could be used to evade defenses and escalate privileges. (e.g., directory traversal attempts via attachment downloads). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/mavinject_process_injection.yaral
      References

      ATT&CK Subtechniques

      Technique ID Technique Name Number of Mappings
      T1055.011 Extra Window Memory Injection 9
      T1055.003 Thread Execution Hijacking 9
      T1055.013 Process Doppelgänging 9
      T1055.004 Asynchronous Procedure Call 10
      T1055.002 Portable Executable Injection 10
      T1055.014 VDSO Hijacking 9
      T1055.012 Process Hollowing 10
      T1055.009 Proc Memory 11
      T1055.005 Thread Local Storage 9
      T1055.008 Ptrace System Calls 15
      T1055.015 ListPlanting 3
      T1055.001 Dynamic-link Library Injection 10