Description
Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific.
More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.
Platforms
Sub-Techniques (12)
Dynamic-link Library Injection
T1055.002Portable Executable Injection
T1055.003Thread Execution Hijacking
T1055.004Asynchronous Procedure Call
T1055.005Thread Local Storage
T1055.008Ptrace System Calls
T1055.009Proc Memory
T1055.011Extra Window Memory Injection
T1055.012Process Hollowing
T1055.013Process Doppelgänging
T1055.014VDSO Hijacking
T1055.015ListPlanting
Mitigations (2)
Privileged Account ManagementM1026
Utilize Yama (ex: /proc/sys/kernel/yama/ptrace_scope) to mitigate ptrace based process injection by restricting the use of ptrace to privileged users only. Other mitigation controls involve the deployment of security kernel modules that provide advanced access control and process restrictions such as SELinux, grsecurity, and AppArmor.
Behavior Prevention on EndpointM1040
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. For example, on Windows 10, Attack Surface Reduction (ASR) rules may prevent Office applications from code injection. (Citation: win10_asr)
Threat Groups (15)
| ID | Group | Context |
|---|---|---|
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) has injected malicious payloads into the `explorer.exe` process.(Citation: 1 - appv) |
| G0091 | Silence | [Silence](https://attack.mitre.org/groups/G0091) has injected a DLL library containing a Trojan into the fwmain32.exe process.(Citation: Group IB Sile... |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) malware has injected a Cobalt Strike beacon into Rundll32.exe.(Citation: Cybereason Cobalt Kitty 2017) |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has used process injection to execute payloads to escalate privileges.(Citation: Mandiant FIN12... |
| G1018 | TA2541 | [TA2541](https://attack.mitre.org/groups/G1018) has injected malicious code into legitimate .NET related processes including regsvcs.exe, msbuild.exe... |
| G0080 | Cobalt Group | [Cobalt Group](https://attack.mitre.org/groups/G0080) has injected code into trusted processes.(Citation: Group IB Cobalt Aug 2017) |
| G0067 | APT37 | [APT37](https://attack.mitre.org/groups/G0067) injects its malware variant, [ROKRAT](https://attack.mitre.org/software/S0240), into the cmd.exe proces... |
| G1047 | Velvet Ant | [Velvet Ant](https://attack.mitre.org/groups/G1047) initial execution included launching multiple `svchost` processes and injecting code into them.(Ci... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used Win7Elevate to inject malicious code into explorer.exe.(Citation: Securelist Kimsuky Sept 20... |
| G1023 | APT5 | [APT5](https://attack.mitre.org/groups/G1023) has used the CLEANPULSE utility to insert command line strings into a targeted process to alter its func... |
| G0068 | PLATINUM | [PLATINUM](https://attack.mitre.org/groups/G0068) has used various methods of process injection including hot patching.(Citation: Microsoft PLATINUM A... |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has injected [Remcos](https://attack.mitre.org/software/S0332) into explorer.exe.(Citation: V... |
| G1043 | BlackByte | [BlackByte](https://attack.mitre.org/groups/G1043) has injected [Cobalt Strike](https://attack.mitre.org/software/S0154) into `wuauclt.exe` during int... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) malware TIDYELF loaded the main WINTERLOVE component by injecting it into the iexplore.exe process.(Cit... |
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) has also used [PowerSploit](https://attack.mitre.org/software/S0194)'s <code>Invoke-ReflectivePEInjecti... |
Associated Software (65)
| ID | Name | Type | Context |
|---|---|---|---|
| S9025 | NOOPLDR | Malware | [NOOPLDR](https://attack.mitre.org/software/S9025) can inject decrypted payloads into processes including wuauclt.exe., rdrleakdiag.exe, and tabcal.ex... |
| S0331 | Agent Tesla | Malware | [Agent Tesla](https://attack.mitre.org/software/S0331) can inject into known, vulnerable binaries on targeted hosts.(Citation: SentinelLabs Agent Tesl... |
| S0681 | Lizar | Malware | [Lizar](https://attack.mitre.org/software/S0681) can migrate the loader into another process.(Citation: BiZone Lizar May 2021) |
| S0533 | SLOTHFULMEDIA | Malware | [SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) can inject into running processes on a compromised host.(Citation: CISA MAR SLOTHFULMEDIA Oct... |
| S0581 | IronNetInjector | Tool | [IronNetInjector](https://attack.mitre.org/software/S0581) can use an IronPython scripts to load a .NET injector to inject a payload into its own or a... |
| S1159 | DUSTTRAP | Malware | [DUSTTRAP](https://attack.mitre.org/software/S1159) compromises the `.text` section of a legitimate system DLL in `%windir%` to hold the contents of r... |
| S1081 | BADHATCH | Malware | [BADHATCH](https://attack.mitre.org/software/S1081) can inject itself into an existing explorer.exe process by using `RtlCreateUserThread`.(Citation: ... |
| S0398 | HyperBro | Malware | [HyperBro](https://attack.mitre.org/software/S0398) can run shellcode it injects into a newly created process.(Citation: Unit42 Emissary Panda May 201... |
| S0633 | Sliver | Tool | [Sliver](https://attack.mitre.org/software/S0633) includes multiple methods to perform process injection to migrate the framework into other, potentia... |
| S0534 | Bazar | Malware | [Bazar](https://attack.mitre.org/software/S0534) can inject code through calling <code>VirtualAllocExNuma</code>.(Citation: Cybereason Bazar July 2020... |
| S0436 | TSCookie | Malware | [TSCookie](https://attack.mitre.org/software/S0436) has the ability to inject code into the svchost.exe, iexplorer.exe, explorer.exe, and default brow... |
| S0496 | REvil | Malware | [REvil](https://attack.mitre.org/software/S0496) can inject itself into running processes on a compromised host.(Citation: McAfee REvil October 2019) |
| S0695 | Donut | Tool | [Donut](https://attack.mitre.org/software/S0695) includes a subproject <code>DonutTest</code> to inject shellcode into a target process.(Citation: Don... |
| S0470 | BBK | Malware | [BBK](https://attack.mitre.org/software/S0470) has the ability to inject shellcode into svchost.exe.(Citation: Trend Micro Tick November 2019) |
| S0561 | GuLoader | Malware | [GuLoader](https://attack.mitre.org/software/S0561) has the ability to inject shellcode into a donor processes that is started in a suspended state. [... |
| S1074 | ANDROMEDA | Malware | [ANDROMEDA](https://attack.mitre.org/software/S1074) can inject into the `wuauclt.exe` process to perform C2 actions.(Citation: Mandiant Suspected Tur... |
| S1105 | COATHANGER | Malware | [COATHANGER](https://attack.mitre.org/software/S1105) includes a binary labeled `authd` that can inject a library into a running process and then hook... |
| S0347 | AuditCred | Malware | [AuditCred](https://attack.mitre.org/software/S0347) can inject code from files to other running processes.(Citation: TrendMicro Lazarus Nov 2018) |
| S0032 | gh0st RAT | Malware | [gh0st RAT](https://attack.mitre.org/software/S0032) can inject malicious code into process created by the “Command_Create&Inject” function.(Citation:... |
| S0198 | NETWIRE | Malware | [NETWIRE](https://attack.mitre.org/software/S0198) can inject code into system processes including notepad.exe, svchost.exe, and vbc.exe.(Citation: Re... |
Related CWE Weaknesses
Frequently Asked Questions
What is T1055 (Process Injection)?
T1055 is a MITRE ATT&CK technique named 'Process Injection'. It belongs to the Stealth, Privilege Escalation tactic(s). Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address spa...
How can T1055 be detected?
Detection of T1055 (Process Injection) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1055?
There are 2 documented mitigations for T1055. Key mitigations include: Privileged Account Management, Behavior Prevention on Endpoint.
Which threat groups use T1055?
Known threat groups using T1055 include: APT38, Silence, APT32, Wizard Spider, TA2541, Cobalt Group, APT37, Velvet Ant.