Esc
Process Injection - T1055
(ATT&CK® Technique)
Definition
Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1055["Process Injection"] --> |invokes| SystemCall["System Call"]; class T1055 OffensiveTechniqueNode;
class SystemCall ArtifactNode; click SystemCall href "/dao/artifact/d3f:SystemCall";
click T1055 href "/offensive-technique/attack/T1055/"; click SystemCall href "/dao/artifact/d3f:SystemCall"; T1055["Process Injection"] --> |invokes| CreateProcess["Create Process"]; class T1055 OffensiveTechniqueNode;
class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess";
click T1055 href "/offensive-technique/attack/T1055/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; T1055["Process Injection"] --> |may-invoke| CreateProcess["Create Process"]; class T1055 OffensiveTechniqueNode;
class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess";
click T1055 href "/offensive-technique/attack/T1055/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; T1055["Process Injection"] --> |accesses| OperatingSystemFile["Operating System File"]; class T1055 OffensiveTechniqueNode;
class OperatingSystemFile ArtifactNode; click OperatingSystemFile href "/dao/artifact/d3f:OperatingSystemFile";
click T1055 href "/offensive-technique/attack/T1055/"; click OperatingSystemFile href "/dao/artifact/d3f:OperatingSystemFile"; T1055["Process Injection"] --> |may-add| ObjectFile["Object File"]; class T1055 OffensiveTechniqueNode;
class ObjectFile ArtifactNode; click ObjectFile href "/dao/artifact/d3f:ObjectFile";
click T1055 href "/offensive-technique/attack/T1055/"; click ObjectFile href "/dao/artifact/d3f:ObjectFile"; T1055["Process Injection"] --> |may-modify| OperatingSystemFile["Operating System File"]; class T1055 OffensiveTechniqueNode;
class OperatingSystemFile ArtifactNode; click OperatingSystemFile href "/dao/artifact/d3f:OperatingSystemFile";
click T1055 href "/offensive-technique/attack/T1055/"; click OperatingSystemFile href "/dao/artifact/d3f:OperatingSystemFile"; T1055["Process Injection"] --> |modifies| ProcessCodeSegment["Process Code Segment"]; class T1055 OffensiveTechniqueNode;
class ProcessCodeSegment ArtifactNode; click ProcessCodeSegment href "/dao/artifact/d3f:ProcessCodeSegment";
click T1055 href "/offensive-technique/attack/T1055/"; click ProcessCodeSegment href "/dao/artifact/d3f:ProcessCodeSegment"; T1055["Process Injection"] --> |accesses| SharedLibraryFile["Shared Library File"]; class T1055 OffensiveTechniqueNode;
class SharedLibraryFile ArtifactNode; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile";
click T1055 href "/offensive-technique/attack/T1055/"; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile"; T1055["Process Injection"] --> |adds| SharedLibraryFile["Shared Library File"]; class T1055 OffensiveTechniqueNode;
class SharedLibraryFile ArtifactNode; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile";
click T1055 href "/offensive-technique/attack/T1055/"; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile"; T1055["Process Injection"] --> |loads| SharedLibraryFile["Shared Library File"]; class T1055 OffensiveTechniqueNode;
class SharedLibraryFile ArtifactNode; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile";
click T1055 href "/offensive-technique/attack/T1055/"; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile"; T1055["Process Injection"] --> |may-add| ExecutableBinary["Executable Binary"]; class T1055 OffensiveTechniqueNode;
class ExecutableBinary ArtifactNode; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary";
click T1055 href "/offensive-technique/attack/T1055/"; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary"; DecoyFile["Decoy File"] -->
| spoofs | ExecutableBinary["Executable Binary"];
DecoyFile["Decoy File"] -.->
| May Deceive | T1055["Process Injection"] ;
class DecoyFile DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | ObjectFile["Object File"];
class DecoyFile DefensiveTechniqueNode;
class ObjectFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | OperatingSystemFile["Operating System File"];
class DecoyFile DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | SharedLibraryFile["Shared Library File"];
class DecoyFile DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | ExecutableBinary["Executable Binary"];
DynamicAnalysis["Dynamic Analysis"] -.->
| May Detect | T1055["Process Injection"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | ExecutableBinary["Executable Binary"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| May Detect | T1055["Process Injection"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; SystemCallAnalysis["System Call Analysis"] -->
| analyzes | CreateProcess["Create Process"];
SystemCallAnalysis["System Call Analysis"] -.->
| May Detect | T1055["Process Injection"] ;
class SystemCallAnalysis DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; SystemCallAnalysis["System Call Analysis"] -->
| analyzes | SystemCall["System Call"];
class SystemCallAnalysis DefensiveTechniqueNode;
class SystemCall ArtifactNode;
click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; ProcessCodeSegmentVerification["Process Code Segment Verification"] -->
| verifies | ProcessCodeSegment["Process Code Segment"];
ProcessCodeSegmentVerification["Process Code Segment Verification"] -.->
| May Detect | T1055["Process Injection"] ;
class ProcessCodeSegmentVerification DefensiveTechniqueNode;
class ProcessCodeSegment ArtifactNode;
click ProcessCodeSegmentVerification href "/technique/d3f:ProcessCodeSegmentVerification"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | CreateProcess["Create Process"];
ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
| May Detect | T1055["Process Injection"] ;
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | SharedLibraryFile["Shared Library File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| May Detect | T1055["Process Injection"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | ObjectFile["Object File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class ObjectFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | OperatingSystemFile["Operating System File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | ExecutableBinary["Executable Binary"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
| deletes | ExecutableBinary["Executable Binary"];
FileEviction["File Eviction"] -.->
| May Evict | T1055["Process Injection"] ;
class FileEviction DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | SharedLibraryFile["Shared Library File"];
class FileEviction DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | OperatingSystemFile["Operating System File"];
class FileEviction DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | ObjectFile["Object File"];
class FileEviction DefensiveTechniqueNode;
class ObjectFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; LocalFilePermissions["Local File Permissions"] -->
| restricts | SharedLibraryFile["Shared Library File"];
LocalFilePermissions["Local File Permissions"] -.->
| May Harden | T1055["Process Injection"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | ExecutableBinary["Executable Binary"];
class LocalFilePermissions DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; FileEncryption["File Encryption"] -->
| encrypts | SharedLibraryFile["Shared Library File"];
FileEncryption["File Encryption"] -.->
| May Harden | T1055["Process Injection"] ;
class FileEncryption DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] -->
| restricts | OperatingSystemFile["Operating System File"];
class LocalFilePermissions DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; FileEncryption["File Encryption"] -->
| encrypts | OperatingSystemFile["Operating System File"];
class FileEncryption DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | ObjectFile["Object File"];
class FileEncryption DefensiveTechniqueNode;
class ObjectFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | ExecutableBinary["Executable Binary"];
class FileEncryption DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] -->
| restricts | ObjectFile["Object File"];
class LocalFilePermissions DefensiveTechniqueNode;
class ObjectFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; ProcessSegmentExecutionPrevention["Process Segment Execution Prevention"] -->
| neutralizes | ProcessCodeSegment["Process Code Segment"];
ProcessSegmentExecutionPrevention["Process Segment Execution Prevention"] -.->
| May Harden | T1055["Process Injection"] ;
class ProcessSegmentExecutionPrevention DefensiveTechniqueNode;
class ProcessCodeSegment ArtifactNode;
click ProcessSegmentExecutionPrevention href "/technique/d3f:ProcessSegmentExecutionPrevention"; SegmentAddressOffsetRandomization["Segment Address Offset Randomization"] -->
| obfuscates | ProcessCodeSegment["Process Code Segment"];
SegmentAddressOffsetRandomization["Segment Address Offset Randomization"] -.->
| May Harden | T1055["Process Injection"] ;
class SegmentAddressOffsetRandomization DefensiveTechniqueNode;
class ProcessCodeSegment ArtifactNode;
click SegmentAddressOffsetRandomization href "/technique/d3f:SegmentAddressOffsetRandomization"; ExecutableAllowlisting["Executable Allowlisting"] -->
| restricts | CreateProcess["Create Process"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| May Isolate | T1055["Process Injection"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | ExecutableBinary["Executable Binary"];
ExecutableDenylisting["Executable Denylisting"] -.->
| May Isolate | T1055["Process Injection"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableDenylisting["Executable Denylisting"] -->
| restricts | CreateProcess["Create Process"];
class ExecutableDenylisting DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | ExecutableBinary["Executable Binary"];
class ExecutableAllowlisting DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| restricts | CreateProcess["Create Process"];
Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
| May Isolate | T1055["Process Injection"] ;
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; RestoreFile["Restore File"] -->
| restores | SharedLibraryFile["Shared Library File"];
RestoreFile["Restore File"] -.->
| May Restore | T1055["Process Injection"] ;
class RestoreFile DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | ObjectFile["Object File"];
class RestoreFile DefensiveTechniqueNode;
class ObjectFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | OperatingSystemFile["Operating System File"];
class RestoreFile DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | ExecutableBinary["Executable Binary"];
class RestoreFile DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; FileAnalysis["File Analysis"] -->
| analyzes | ObjectFile["Object File"];
FileAnalysis["File Analysis"] -.->
| May Detect | T1055["Process Injection"] ;
class FileAnalysis DefensiveTechniqueNode;
class ObjectFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | OperatingSystemFile["Operating System File"];
class FileAnalysis DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | ExecutableBinary["Executable Binary"];
class FileAnalysis DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | SharedLibraryFile["Shared Library File"];
class FileAnalysis DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; SystemFileAnalysis["System File Analysis"] -->
| analyzes | OperatingSystemFile["Operating System File"];
SystemFileAnalysis["System File Analysis"] -.->
| May Detect | T1055["Process Injection"] ;
class SystemFileAnalysis DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click SystemFileAnalysis href "/technique/d3f:SystemFileAnalysis"; MemoryBoundaryTracking["Memory Boundary Tracking"] -->
| analyzes | ProcessCodeSegment["Process Code Segment"];
MemoryBoundaryTracking["Memory Boundary Tracking"] -.->
| May Detect | T1055["Process Injection"] ;
class MemoryBoundaryTracking DefensiveTechniqueNode;
class ProcessCodeSegment ArtifactNode;
click MemoryBoundaryTracking href "/technique/d3f:MemoryBoundaryTracking"; SystemCallFiltering["System Call Filtering"] -->
| filters | CreateProcess["Create Process"];
SystemCallFiltering["System Call Filtering"] -.->
| May Isolate | T1055["Process Injection"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; SystemCallFiltering["System Call Filtering"] -->
| filters | SystemCall["System Call"];
class SystemCallFiltering DefensiveTechniqueNode;
class SystemCall ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; MandatoryAccessControl["Mandatory Access Control"] -->
| restricts | CreateProcess["Create Process"];
MandatoryAccessControl["Mandatory Access Control"] -.->
| May Isolate | T1055["Process Injection"] ;
class MandatoryAccessControl DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click MandatoryAccessControl href "/technique/d3f:MandatoryAccessControl";