Home
ATT&CK Techniques
T1055 Process Injection

T1055 Process Injection

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific.

More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
PR.PS-05.02	Mobile code prevention	Mitigates	T1055	Process Injection	Comments Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. References
PR.AA-05.02	Privileged system access	Mitigates	T1055	Process Injection	Comments This diagnostic statement protects against Process Injection through the use of privileged account management and the use of multi-factor authentication. References

NIST 800-53 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
CM-06	Configuration Settings	mitigates	T1055	Process Injection
CM-05	Access Restrictions for Change	mitigates	T1055	Process Injection
SC-18	Mobile Code	mitigates	T1055	Process Injection
SI-02	Flaw Remediation	mitigates	T1055	Process Injection
SI-03	Malicious Code Protection	mitigates	T1055	Process Injection
IA-02	Identification and Authentication (Organizational Users)	mitigates	T1055	Process Injection
SI-04	System Monitoring	mitigates	T1055	Process Injection
AC-02	Account Management	mitigates	T1055	Process Injection
AC-03	Access Enforcement	mitigates	T1055	Process Injection
AC-05	Separation of Duties	mitigates	T1055	Process Injection
AC-06	Least Privilege	mitigates	T1055	Process Injection
SC-07	Boundary Protection	mitigates	T1055	Process Injection

VERIS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
action.malware.variety.In-memory	(malware never stored to persistent storage)	related-to	T1055	Process Injection

Azure Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
microsoft_sentinel	Microsoft Sentinel	technique_scores	T1055	Process Injection	Comments The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which contains multiple modules for injecting into processes, but does not address other procedures. References https://learn.microsoft.com/en-us/azure/sentinel/overview https://learn.microsoft.com/en-us/azure/sentinel/hunting
alerts_for_windows_machines	Alerts for Windows Machines	technique_scores	T1055	Process Injection	Comments This control's Fileless Attack Detection covers all relevant sub-techniques. Detection is periodic at an unknown rate. References https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-windows-machines
defender_for_app_service	Microsoft Defender for Cloud: Defender for App Service	technique_scores	T1055	Process Injection	Comments This control's Fileless Attack Detection covers all relevant sub-techniques. The control also specifically detects process hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. References https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-app-service-introduction https://azure.microsoft.com/en-us/services/app-service/ https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview

GCP Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
google_secops	Google Security Operations	technique_scores	T1055	Process Injection	Comments Google Security Ops can trigger an alert based on suspicious running processes that could be used to evade defenses and escalate privileges. (e.g., directory traversal attempts via attachment downloads). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/mavinject_process_injection.yaral References ['https://cloud.google.com/security/products/security-operations' 'https://cloud.google.com/chronicle/docs/secops/secops-overview' 'https://github.com/chronicle/detection-rules']

ATT&CK Subtechniques

Technique ID	Technique Name	Number of Mappings
T1055.011	Extra Window Memory Injection	9
T1055.003	Thread Execution Hijacking	9
T1055.013	Process Doppelgänging	9
T1055.004	Asynchronous Procedure Call	10
T1055.002	Portable Executable Injection	10
T1055.014	VDSO Hijacking	9
T1055.012	Process Hollowing	9
T1055.009	Proc Memory	11
T1055.005	Thread Local Storage	9
T1055.008	Ptrace System Calls	15
T1055.015	ListPlanting	3
T1055.001	Dynamic-link Library Injection	9