Esc
Dynamic-link Library Injection - T1055.001

(ATT&CK® Technique)
Definition

Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1055001["Dynamic-link Library Injection"] --> |invokes| SystemCall["System Call"]; class T1055001 OffensiveTechniqueNode;
        class SystemCall ArtifactNode; click SystemCall href "/dao/artifact/d3f:SystemCall";
        click T1055001 href "/offensive-technique/attack/T1055.001/"; click SystemCall href "/dao/artifact/d3f:SystemCall"; T1055001["Dynamic-link Library Injection"] --> |adds| SharedLibraryFile["Shared Library File"]; class T1055001 OffensiveTechniqueNode;
        class SharedLibraryFile ArtifactNode; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile";
        click T1055001 href "/offensive-technique/attack/T1055.001/"; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile"; T1055001["Dynamic-link Library Injection"] --> |loads| SharedLibraryFile["Shared Library File"]; class T1055001 OffensiveTechniqueNode;
        class SharedLibraryFile ArtifactNode; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile";
        click T1055001 href "/offensive-technique/attack/T1055.001/"; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile";                                       SystemCallAnalysis["System Call Analysis"] -->
          | analyzes | SystemCall["System Call"];

          SystemCallAnalysis["System Call Analysis"] -.->
            | May Detect | T1055001["Dynamic-link Library Injection"] ;
          class SystemCallAnalysis DefensiveTechniqueNode;
          class SystemCall ArtifactNode;
          click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | SharedLibraryFile["Shared Library File"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | May Detect | T1055001["Dynamic-link Library Injection"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class SharedLibraryFile ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring";                                         DecoyFile["Decoy File"] -->
          | spoofs | SharedLibraryFile["Shared Library File"];

          DecoyFile["Decoy File"] -.->
            | May Deceive | T1055001["Dynamic-link Library Injection"] ;
          class DecoyFile DefensiveTechniqueNode;
          class SharedLibraryFile ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile";                            FileEviction["File Eviction"] -->
          | deletes | SharedLibraryFile["Shared Library File"];

          FileEviction["File Eviction"] -.->
            | May Evict | T1055001["Dynamic-link Library Injection"] ;
          class FileEviction DefensiveTechniqueNode;
          class SharedLibraryFile ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction";                  LocalFilePermissions["Local File Permissions"] -->
          | restricts | SharedLibraryFile["Shared Library File"];

          LocalFilePermissions["Local File Permissions"] -.->
            | May Harden | T1055001["Dynamic-link Library Injection"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class SharedLibraryFile ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions";                      FileEncryption["File Encryption"] -->
          | encrypts | SharedLibraryFile["Shared Library File"];

          FileEncryption["File Encryption"] -.->
            | May Harden | T1055001["Dynamic-link Library Injection"] ;
          class FileEncryption DefensiveTechniqueNode;
          class SharedLibraryFile ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption";  RestoreFile["Restore File"] -->
          | restores | SharedLibraryFile["Shared Library File"];

          RestoreFile["Restore File"] -.->
            | May Restore | T1055001["Dynamic-link Library Injection"] ;
          class RestoreFile DefensiveTechniqueNode;
          class SharedLibraryFile ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile";                                                  FileAnalysis["File Analysis"] -->
          | analyzes | SharedLibraryFile["Shared Library File"];

          FileAnalysis["File Analysis"] -.->
            | May Detect | T1055001["Dynamic-link Library Injection"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class SharedLibraryFile ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis";                              SystemCallFiltering["System Call Filtering"] -->
          | filters | SystemCall["System Call"];

          SystemCallFiltering["System Call Filtering"] -.->
            | May Isolate | T1055001["Dynamic-link Library Injection"] ;
          class SystemCallFiltering DefensiveTechniqueNode;
          class SystemCall ArtifactNode;
          click SystemCallFiltering href "/technique/d3f:SystemCallFiltering";
json