{
	"id": "f4a79d97-3bba-4867-9f8a-4d76d85df5db",
	"created_at": "2026-04-06T00:14:13.453433Z",
	"updated_at": "2026-04-10T03:20:00.09182Z",
	"deleted_at": null,
	"sha1_hash": "e7b430f2e93b3e773c6b94de27d5a9f8a9f83ca8",
	"title": "MITRE ATT\u0026CK T1055 Process Injection",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 65097,
	"plain_text": "MITRE ATT\u0026CK T1055 Process Injection\r\nBy Huseyin Can YUCEEL\r\nPublished: 2022-02-23 · Archived: 2026-04-05 17:10:44 UTC\r\nProcess injection is a powerful and widely used technique that allows adversaries to execute malicious code\r\nwithin the address space of a legitimate process. By injecting code into trusted processes; attackers can evade\r\ndetection, escalate privileges, and maintain persistence on a compromised system. With process injection,\r\nmalicious payloads can be run under the guise of legitimate applications, making it significantly harder for\r\nsecurity tools to detect suspicious activity.\r\nIn this blog post, we explain the T1055 Process Injection technique of the MITRE ATT\u0026CK® framework and\r\nexplore how adversaries employ process injection with real-world attack examples in detail.\r\nAdversary Use of Process Injection\r\nAdversaries use Process Injection for various purposes, including evading detection, maintaining presence within\r\na system, and accessing process resources such as memory and network.\r\nIt is a typical security practice to list all the processes running on a system and identify the malicious processes\r\namong the legitimate ones that are part of the operating system or installed software with recognizable names and\r\nfile paths. Security mechanisms scan for processes that exhibit unusual characteristics, such as non-standard file\r\npaths or abnormal behavior, which may indicate a potential threat. Such processes are swiftly flagged as\r\nsuspicious and can be killed to protect the system.\r\nHowever, when adversaries embed their malicious code into an existing, trusted process, they create a challenge\r\nfor detection efforts. This stealth tactic, known as Process Injection, allows the intrusive code to run unnoticed\r\nwithin the memory space of another process, making it particularly difficult for security defenses to detect and\r\nneutralize the threat.\r\nProcess injection provides two significant benefits for adversaries:\r\n1. Privilege Escalation\r\nIf the target process has elevated privileges, the injected code will also have access to those privileges, allowing\r\nthe adversary to gain greater control over the system and potentially escalate their privileges even further. For\r\ninstance, if a target process has access to network resources, then the malicious code encapsulated within this\r\nprocess may allow an adversary to communicate over the Internet or with other computers on the same network.\r\nThis privilege can enable the adversary to carry out various malicious activities, such as downloading next-stage\r\npayloads or tools, exfiltrating sensitive data, spreading malware to other systems, or launching attacks against the\r\nnetwork.\r\n2. Defense Evasion\r\nhttps://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection\r\nPage 1 of 4\n\nAdversaries evade security controls designed to detect and block known threats by executing their malicious code\r\nunder the privileges of a legitimate process. As the malicious code is hidden within the legitimate process, which\r\nis typically allow-listed, the target process acts as a camouflage for the malicious code, allowing the malicious\r\ncode to evade detection and run without being noticed. Since the code is typically run directly in the memory of\r\nthe legitimate process, it is difficult for disk forensics tools to detect the code, as it is not written to the disk.\r\nLegitimate Processes Used for Process Injection\r\nSecurity controls may quickly detect custom processes with unfamiliar names. Therefore, attackers use common\r\nnative built-in Windows processes, such as:\r\nAppLaunch.exe - Application Launcher\r\narp.exe – Address Resolution Protocol Utility\r\ncmd.exe – Command Prompt\r\nconhost.exe – Console Window Host\r\ncontrol.exe – Control Panel Applet\r\ncsrss.exe – Client/Server Runtime Subsystem\r\nctfmon.exe – CTF Loader\r\ndllhost.exe – COM Surrogate\r\ndwm.exe – Desktop Window Manager\r\nexplorer.exe – Windows Explorer\r\nlsass.exe – Local Security Authority Subsystem Service\r\nmsbuild.exe – Microsoft Build Engine\r\nmshta.exe – Microsoft HTML Application Host\r\nmsiexec.exe – Windows Installer\r\nPowerShell.exe – Windows PowerShell\r\nrundll32.exe/rundll64.exe – Run a DLL as an App\r\nschtasks.exe – Task Scheduler\r\nservices.exe – Services Control Manager\r\nsmss.exe – Session Manager Subsystem\r\nspoolsv.exe – Print Spooler Service\r\nsvchost.exe – Service Host\r\ntaskhost.exe – Host Process for Windows Tasks\r\ntaskmgr.exe – Task Manager\r\nwininit.exe – Windows Start-Up Application\r\nwinlogon.exe – Windows Logon Process\r\nwmiexec.exe – WMI Execution Process\r\nwmiprvse.exe – WMI Provider Host\r\nwscntfy.exe – Windows Security Center Notification App\r\nwuauclt.exe – Windows Update AutoUpdate Client\r\nAttackers also use processes of commonly used software, such as browsers, antiviruses, office tools, and utilities.\r\nacrobat.exe - Adobe Acrobat\r\nhttps://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection\r\nPage 2 of 4\n\nadobearm.exe – Adobe Acrobat Reader Updater\r\nchrome.exe – Google Chrome\r\ndiscord.exe – Discord\r\ndropbox.exe – Dropbox\r\ndropboxsync.exe – Dropbox Sync\r\nexcel.exe – Microsoft Excel\r\nfirefox.exe – Mozilla Firefox\r\ngoogleupdate.exe – Google Updater\r\njava.exe – Java Runtime Environment\r\njucheck.exe – Java Update Checker\r\nnotepad.exe – Notepad\r\nonedrive.exe – OneDrive\r\nopera.exe – Opera Browser\r\noutlook.exe – Microsoft Outlook\r\nphotoshop.exe – Adobe Photoshop\r\nslack.exe – Slack\r\nsteam.exe – Steam\r\nteams.exe – Microsoft Teams\r\nvmwaretray.exe – VMware Tray\r\nwinword.exe – Microsoft Word\r\nwordpad.exe – Wordpad\r\nzoom.exe – Zoom\r\nMethods of Target Process Selection\r\nAdversaries use the following methods when picking their target process for malicious code injection:\r\n1. Hardcoded Targeting\r\nIn the first scenario, an adversary can hardcode a particular target process in the malicious code, and only this\r\nprocess is used to host the injected code. explorer.exe and rundll32.exe are the two most commonly leveraged\r\nprocesses for this type of attack. For instance, RedLine Stealer malware is known to target the Visual Basic\r\nCompiler used with the .NET Framework. The malware injects its payload into the vbc.exe to evade detection [1].\r\nAn attacker can also define a list of target processes in the code, and the injected code is executed in the first\r\nprocess on the list that is found to be running on the system. These lists typically include native Windows and\r\nbrowser processes. \r\n2. Dynamic Targeting\r\nIn this attack scenario, an adversary does not define the target process beforehand and instead locates a suitable\r\nhost process at runtime. It is common for adversaries to use Windows API functions to enumerate the list of all\r\ncurrently active processes and to get a handle on each target process in attack campaigns. The specific API\r\nfunctions that are used will depend on the goals of the attack and the capabilities of the adversary, but some\r\nhttps://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection\r\nPage 3 of 4\n\ncommon examples include EnumProcesses(), EnumProcessModules(), CreateToolhelp32Snapshot(), and\r\nOpenProcess().\r\nSub-techniques of T1055 Process Injection\r\nProcess injection is not a single technique but a collection of subtechniques that adversaries use to execute\r\nmalicious code within legitimate processes. In version 16.1, MITRE ATT\u0026CK Matrix for Enterprise has 12\r\nsubtechniques under T1055 Process Injection, each with unique characteristics and attack scenarios. These\r\nsubtechniques vary in complexity and effectiveness, but they all serve the same goal, stealthy execution and\r\nevasion from security defenses.\r\nFor more detailed information, check out the following blogs explaining each subtechnique in great detail.\r\nT1055.001 Dynamic-link Library Injection \r\nT1055.002 Portable Executable Injection \r\nT1055.003  Thread Execution Hijacking \r\nT1055.004 Asynchronous Procedure Call \r\nT1055.005 Thread Local Storage \r\nT1055.008 Ptrace System Calls \r\nT1055.009 Proc Memory \r\nT1055.011 Extra Window Memory Injection \r\nT1055.012 Process Hollowing \r\nT1055.013 Process Doppelgänging \r\nT1055.014 VDSO Hijacking \r\nT1055.015 ListPlanting  \r\nReady to Simulate Real-World Threats From Red Report 2026?\r\nReferences\r\n[1] S. Gandy, \"RedLine Stealer Malware Analysis,\" Cyber Florida: The Florida Center for Cybersecurity, Mar. 10,\r\n2023. Available: https://cyberflorida.org/redline-stealer-malware-analysis/\r\nSource: https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection\r\nhttps://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection"
	],
	"report_names": [
		"picus-10-critical-mitre-attck-techniques-t1055-process-injection"
	],
	"threat_actors": [],
	"ts_created_at": 1775434453,
	"ts_updated_at": 1775791200,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e7b430f2e93b3e773c6b94de27d5a9f8a9f83ca8.pdf",
		"text": "https://archive.orkl.eu/e7b430f2e93b3e773c6b94de27d5a9f8a9f83ca8.txt",
		"img": "https://archive.orkl.eu/e7b430f2e93b3e773c6b94de27d5a9f8a9f83ca8.jpg"
	}
}