Description
Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.
PE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread or additional code (ex: shellcode). The displacement of the injected code does introduce the additional requirement for functionality to remap memory references. (Citation: Elastic Process Injection July 2017)
Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via PE injection may also evade detection from security products since the execution is masked under a legitimate process.
Platforms
Mitigations (1)
Behavior Prevention on EndpointM1040
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G0106 | Rocke | [Rocke](https://attack.mitre.org/groups/G0106)'s miner, "TermsHost.exe", evaded defenses by injecting itself into Windows processes, including Notepad... |
| G0078 | Gorgon Group | [Gorgon Group](https://attack.mitre.org/groups/G0078) malware can download a remote access tool, [ShiftyBug](https://attack.mitre.org/software/S0294),... |
Associated Software (12)
| ID | Name | Type | Context |
|---|---|---|---|
| S1063 | Brute Ratel C4 | Tool | [Brute Ratel C4](https://attack.mitre.org/software/S1063) has injected [Latrodectus](https://attack.mitre.org/software/S1160) into the Explorer.exe pr... |
| S0260 | InvisiMole | Malware | [InvisiMole](https://attack.mitre.org/software/S0260) can inject its backdoor as a portable executable into a target process.(Citation: ESET InvisiMol... |
| S1229 | Havoc | Malware | [Havoc](https://attack.mitre.org/software/S1229) has itself injected into `C:\\Windows\\System32\\Werfault.exe` on targeted systems.(Citation: Havoc F... |
| S0030 | Carbanak | Malware | [Carbanak](https://attack.mitre.org/software/S0030) downloads an executable and injects it directly into a new process.(Citation: FireEye CARBANAK Jun... |
| S9037 | RustyWater | Malware | [RustyWater](https://attack.mitre.org/software/S9037) has injected its shellcode into explorer.exe by allocating memory via `VirtualAllocEx`, then by ... |
| S0681 | Lizar | Malware | [Lizar](https://attack.mitre.org/software/S0681) can execute PE files in the address space of the specified process.(Citation: BiZone Lizar May 2021) |
| S1138 | Gootloader | Malware | [Gootloader](https://attack.mitre.org/software/S1138) can use its own PE loader to execute payloads in memory.(Citation: Sophos Gootloader) |
| S9024 | SPAWNCHIMERA | Malware | [SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has executed only in memory and hooked itself into existing processes on the victim device to ... |
| S0342 | GreyEnergy | Malware | [GreyEnergy](https://attack.mitre.org/software/S0342) has a module to inject a PE binary into a remote process.(Citation: ESET GreyEnergy Oct 2018) |
| S1158 | DUSTPAN | Malware | [DUSTPAN](https://attack.mitre.org/software/S1158) can inject its decrypted payload into another process.(Citation: Google Cloud APT41 2024) |
| S1145 | Pikabot | Malware | [Pikabot](https://attack.mitre.org/software/S1145), following payload decryption, creates a process hard-coded into the dropped (e.g., WerFault.exe) a... |
| S0330 | Zeus Panda | Malware | [Zeus Panda](https://attack.mitre.org/software/S0330) checks processes on the system and if they meet the necessary requirements, it injects into that... |
Related CWE Weaknesses
References
Frequently Asked Questions
What is T1055.002 (Portable Executable Injection)?
T1055.002 is a MITRE ATT&CK technique named 'Portable Executable Injection'. It belongs to the Stealth, Privilege Escalation tactic(s). Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in...
How can T1055.002 be detected?
Detection of T1055.002 (Portable Executable Injection) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1055.002?
There are 1 documented mitigations for T1055.002. Key mitigations include: Behavior Prevention on Endpoint.
Which threat groups use T1055.002?
Known threat groups using T1055.002 include: Rocke, Gorgon Group.