Process Injection: Portable Executable Injection (T1055.002)

Tactics: Stealth, Privilege Escalation · Platforms: Windows

The interactive view maps 1 detection strategy, 1 mitigation, 2 threat groups, 12 software entries, 1 campaign to this technique, alongside D3FEND countermeasures and data-component coverage.

Sub-technique of Process Injection (T1055).

Overview

Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.

PE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread or additional code (ex: shellcode). The displacement of the injected code does introduce the additional requirement for functionality to remap memory references.

Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via PE injection may also evade detection from security products since the execution is masked under a legitimate process.

Explore