Esc
Process Injection - T1055
(ATT&CK® Technique)
Definition
Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1055["Process Injection"] --> |modifies| ProcessCodeSegment["Process Code Segment"]; class T1055 OffensiveTechniqueNode; class ProcessCodeSegment ArtifactNode; click ProcessCodeSegment href "/dao/artifact/d3f:ProcessCodeSegment"; click T1055 href "/offensive-technique/attack/T1055/"; click ProcessCodeSegment href "/dao/artifact/d3f:ProcessCodeSegment"; T1055["Process Injection"] --> |accesses| SharedLibraryFile["Shared Library File"]; class T1055 OffensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile"; click T1055 href "/offensive-technique/attack/T1055/"; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile"; T1055["Process Injection"] --> |adds| SharedLibraryFile["Shared Library File"]; class T1055 OffensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile"; click T1055 href "/offensive-technique/attack/T1055/"; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile"; T1055["Process Injection"] --> |loads| SharedLibraryFile["Shared Library File"]; class T1055 OffensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile"; click T1055 href "/offensive-technique/attack/T1055/"; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile"; T1055["Process Injection"] --> |may-add| ExecutableBinary["Executable Binary"]; class T1055 OffensiveTechniqueNode; class ExecutableBinary ArtifactNode; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary"; click T1055 href "/offensive-technique/attack/T1055/"; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary"; T1055["Process Injection"] --> |invokes| SystemCall["System Call"]; class T1055 OffensiveTechniqueNode; class SystemCall ArtifactNode; click SystemCall href "/dao/artifact/d3f:SystemCall"; click T1055 href "/offensive-technique/attack/T1055/"; click SystemCall href "/dao/artifact/d3f:SystemCall"; T1055["Process Injection"] --> |invokes| CreateProcess["Create Process"]; class T1055 OffensiveTechniqueNode; class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; click T1055 href "/offensive-technique/attack/T1055/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; T1055["Process Injection"] --> |may-invoke| CreateProcess["Create Process"]; class T1055 OffensiveTechniqueNode; class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; click T1055 href "/offensive-technique/attack/T1055/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; T1055["Process Injection"] --> |accesses| OperatingSystemFile["Operating System File"]; class T1055 OffensiveTechniqueNode; class OperatingSystemFile ArtifactNode; click OperatingSystemFile href "/dao/artifact/d3f:OperatingSystemFile"; click T1055 href "/offensive-technique/attack/T1055/"; click OperatingSystemFile href "/dao/artifact/d3f:OperatingSystemFile"; T1055["Process Injection"] --> |may-add| ObjectFile["Object File"]; class T1055 OffensiveTechniqueNode; class ObjectFile ArtifactNode; click ObjectFile href "/dao/artifact/d3f:ObjectFile"; click T1055 href "/offensive-technique/attack/T1055/"; click ObjectFile href "/dao/artifact/d3f:ObjectFile"; T1055["Process Injection"] --> |may-modify| OperatingSystemFile["Operating System File"]; class T1055 OffensiveTechniqueNode; class OperatingSystemFile ArtifactNode; click OperatingSystemFile href "/dao/artifact/d3f:OperatingSystemFile"; click T1055 href "/offensive-technique/attack/T1055/"; click OperatingSystemFile href "/dao/artifact/d3f:OperatingSystemFile"; DecoyFile["Decoy File"] --> | spoofs | SharedLibraryFile["Shared Library File"]; DecoyFile["Decoy File"] -.-> | may-deceive | T1055["Process Injection"] ; class DecoyFile DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] --> | spoofs | OperatingSystemFile["Operating System File"]; class DecoyFile DefensiveTechniqueNode; class OperatingSystemFile ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] --> | spoofs | ExecutableBinary["Executable Binary"]; class DecoyFile DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] --> | spoofs | ObjectFile["Object File"]; class DecoyFile DefensiveTechniqueNode; class ObjectFile ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; DynamicAnalysis["Dynamic Analysis"] --> | analyzes | ExecutableBinary["Executable Binary"]; DynamicAnalysis["Dynamic Analysis"] -.-> | may-detect | T1055["Process Injection"] ; class DynamicAnalysis DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] --> | analyzes | ExecutableBinary["Executable Binary"]; EmulatedFileAnalysis["Emulated File Analysis"] -.-> | may-detect | T1055["Process Injection"] ; class EmulatedFileAnalysis DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; ProcessCodeSegmentVerification["Process Code Segment Verification"] --> | verifies | ProcessCodeSegment["Process Code Segment"]; ProcessCodeSegmentVerification["Process Code Segment Verification"] -.-> | may-detect | T1055["Process Injection"] ; class ProcessCodeSegmentVerification DefensiveTechniqueNode; class ProcessCodeSegment ArtifactNode; click ProcessCodeSegmentVerification href "/technique/d3f:ProcessCodeSegmentVerification"; ProcessSpawnAnalysis["Process Spawn Analysis"] --> | analyzes | CreateProcess["Create Process"]; ProcessSpawnAnalysis["Process Spawn Analysis"] -.-> | may-detect | T1055["Process Injection"] ; class ProcessSpawnAnalysis DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; SystemCallAnalysis["System Call Analysis"] --> | analyzes | CreateProcess["Create Process"]; SystemCallAnalysis["System Call Analysis"] -.-> | may-detect | T1055["Process Injection"] ; class SystemCallAnalysis DefensiveTechniqueNode; class CreateProcess ArtifactNode; click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; SystemCallAnalysis["System Call Analysis"] --> | analyzes | SystemCall["System Call"]; class SystemCallAnalysis DefensiveTechniqueNode; class SystemCall ArtifactNode; click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | OperatingSystemFile["Operating System File"]; FileIntegrityMonitoring["File Integrity Monitoring"] -.-> | may-detect | T1055["Process Injection"] ; class FileIntegrityMonitoring DefensiveTechniqueNode; class OperatingSystemFile ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | ObjectFile["Object File"]; class FileIntegrityMonitoring DefensiveTechniqueNode; class ObjectFile ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | ExecutableBinary["Executable Binary"]; class FileIntegrityMonitoring DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | SharedLibraryFile["Shared Library File"]; class FileIntegrityMonitoring DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] --> | deletes | OperatingSystemFile["Operating System File"]; FileEviction["File Eviction"] -.-> | may-evict | T1055["Process Injection"] ; class FileEviction DefensiveTechniqueNode; class OperatingSystemFile ArtifactNode; click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] --> | deletes | ExecutableBinary["Executable Binary"]; class FileEviction DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] --> | deletes | SharedLibraryFile["Shared Library File"]; class FileEviction DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] --> | deletes | ObjectFile["Object File"]; class FileEviction DefensiveTechniqueNode; class ObjectFile ArtifactNode; click FileEviction href "/technique/d3f:FileEviction"; ProcessSegmentExecutionPrevention["Process Segment Execution Prevention"] --> | neutralizes | ProcessCodeSegment["Process Code Segment"]; ProcessSegmentExecutionPrevention["Process Segment Execution Prevention"] -.-> | may-harden | T1055["Process Injection"] ; class ProcessSegmentExecutionPrevention DefensiveTechniqueNode; class ProcessCodeSegment ArtifactNode; click ProcessSegmentExecutionPrevention href "/technique/d3f:ProcessSegmentExecutionPrevention"; SegmentAddressOffsetRandomization["Segment Address Offset Randomization"] --> | obfuscates | ProcessCodeSegment["Process Code Segment"]; SegmentAddressOffsetRandomization["Segment Address Offset Randomization"] -.-> | may-harden | T1055["Process Injection"] ; class SegmentAddressOffsetRandomization DefensiveTechniqueNode; class ProcessCodeSegment ArtifactNode; click SegmentAddressOffsetRandomization href "/technique/d3f:SegmentAddressOffsetRandomization"; FileEncryption["File Encryption"] --> | encrypts | ExecutableBinary["Executable Binary"]; FileEncryption["File Encryption"] -.-> | may-harden | T1055["Process Injection"] ; class FileEncryption DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] --> | encrypts | SharedLibraryFile["Shared Library File"]; class FileEncryption DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] --> | encrypts | OperatingSystemFile["Operating System File"]; class FileEncryption DefensiveTechniqueNode; class OperatingSystemFile ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] --> | encrypts | ObjectFile["Object File"]; class FileEncryption DefensiveTechniqueNode; class ObjectFile ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; ExecutableAllowlisting["Executable Allowlisting"] --> | filters | CreateProcess["Create Process"]; ExecutableAllowlisting["Executable Allowlisting"] -.-> | may-isolate | T1055["Process Injection"] ; class ExecutableAllowlisting DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableAllowlisting["Executable Allowlisting"] --> | blocks | ExecutableBinary["Executable Binary"]; class ExecutableAllowlisting DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] --> | filters | CreateProcess["Create Process"]; ExecutableDenylisting["Executable Denylisting"] -.-> | may-isolate | T1055["Process Injection"] ; class ExecutableDenylisting DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableDenylisting["Executable Denylisting"] --> | blocks | ExecutableBinary["Executable Binary"]; class ExecutableDenylisting DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] --> | restricts | CreateProcess["Create Process"]; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.-> | may-isolate | T1055["Process Injection"] ; class Hardware-basedProcessIsolation DefensiveTechniqueNode; class CreateProcess ArtifactNode; click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; LocalFilePermissions["Local File Permissions"] --> | restricts | ObjectFile["Object File"]; LocalFilePermissions["Local File Permissions"] -.-> | may-isolate | T1055["Process Injection"] ; class LocalFilePermissions DefensiveTechniqueNode; class ObjectFile ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] --> | restricts | OperatingSystemFile["Operating System File"]; class LocalFilePermissions DefensiveTechniqueNode; class OperatingSystemFile ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] --> | restricts | ExecutableBinary["Executable Binary"]; class LocalFilePermissions DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] --> | restricts | SharedLibraryFile["Shared Library File"]; class LocalFilePermissions DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; SystemCallFiltering["System Call Filtering"] --> | filters | CreateProcess["Create Process"]; SystemCallFiltering["System Call Filtering"] -.-> | may-isolate | T1055["Process Injection"] ; class SystemCallFiltering DefensiveTechniqueNode; class CreateProcess ArtifactNode; click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; SystemCallFiltering["System Call Filtering"] --> | filters | SystemCall["System Call"]; class SystemCallFiltering DefensiveTechniqueNode; class SystemCall ArtifactNode; click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; RestoreFile["Restore File"] --> | restores | ExecutableBinary["Executable Binary"]; RestoreFile["Restore File"] -.-> | may-restore | T1055["Process Injection"] ; class RestoreFile DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] --> | restores | SharedLibraryFile["Shared Library File"]; class RestoreFile DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] --> | restores | ObjectFile["Object File"]; class RestoreFile DefensiveTechniqueNode; class ObjectFile ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] --> | restores | OperatingSystemFile["Operating System File"]; class RestoreFile DefensiveTechniqueNode; class OperatingSystemFile ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; FileAnalysis["File Analysis"] --> | analyzes | ObjectFile["Object File"]; FileAnalysis["File Analysis"] -.-> | may-detect | T1055["Process Injection"] ; class FileAnalysis DefensiveTechniqueNode; class ObjectFile ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] --> | analyzes | SharedLibraryFile["Shared Library File"]; class FileAnalysis DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] --> | analyzes | ExecutableBinary["Executable Binary"]; class FileAnalysis DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] --> | analyzes | OperatingSystemFile["Operating System File"]; class FileAnalysis DefensiveTechniqueNode; class OperatingSystemFile ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; SystemFileAnalysis["System File Analysis"] --> | analyzes | OperatingSystemFile["Operating System File"]; SystemFileAnalysis["System File Analysis"] -.-> | may-detect | T1055["Process Injection"] ; class SystemFileAnalysis DefensiveTechniqueNode; class OperatingSystemFile ArtifactNode; click SystemFileAnalysis href "/technique/d3f:SystemFileAnalysis"; MemoryBoundaryTracking["Memory Boundary Tracking"] --> | analyzes | ProcessCodeSegment["Process Code Segment"]; MemoryBoundaryTracking["Memory Boundary Tracking"] -.-> | may-detect | T1055["Process Injection"] ; class MemoryBoundaryTracking DefensiveTechniqueNode; class ProcessCodeSegment ArtifactNode; click MemoryBoundaryTracking href "/technique/d3f:MemoryBoundaryTracking"; RemoteFileAccessMediation["Remote File Access Mediation"] --> | isolates | SharedLibraryFile["Shared Library File"]; RemoteFileAccessMediation["Remote File Access Mediation"] -.-> | may-isolate | T1055["Process Injection"] ; class RemoteFileAccessMediation DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] --> | isolates | ObjectFile["Object File"]; class RemoteFileAccessMediation DefensiveTechniqueNode; class ObjectFile ArtifactNode; click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] --> | isolates | ExecutableBinary["Executable Binary"]; class RemoteFileAccessMediation DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] --> | isolates | OperatingSystemFile["Operating System File"]; class RemoteFileAccessMediation DefensiveTechniqueNode; class OperatingSystemFile ArtifactNode; click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";