Esc

Portable Executable Injection - T1055.002

(ATT&CK® Technique)

Definition

Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1055002["Portable Executable Injection"] --> |may-add| ObjectFile["Object File"]; class T1055002 OffensiveTechniqueNode;
        class ObjectFile ArtifactNode; click ObjectFile href "/dao/artifact/d3f:ObjectFile";
        click T1055002 href "/offensive-technique/attack/T1055.002/"; click ObjectFile href "/dao/artifact/d3f:ObjectFile";             DecoyFile["Decoy File"] -->
          | spoofs | ObjectFile["Object File"];

          DecoyFile["Decoy File"] -.->
            | May Deceive | T1055002["Portable Executable Injection"] ;
          class DecoyFile DefensiveTechniqueNode;
          class ObjectFile ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | ObjectFile["Object File"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | May Detect | T1055002["Portable Executable Injection"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class ObjectFile ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring";                           LocalFilePermissions["Local File Permissions"] -->
          | restricts | ObjectFile["Object File"];

          LocalFilePermissions["Local File Permissions"] -.->
            | May Harden | T1055002["Portable Executable Injection"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class ObjectFile ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; FileEncryption["File Encryption"] -->
          | encrypts | ObjectFile["Object File"];

          FileEncryption["File Encryption"] -.->
            | May Harden | T1055002["Portable Executable Injection"] ;
          class FileEncryption DefensiveTechniqueNode;
          class ObjectFile ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption"; RestoreFile["Restore File"] -->
          | restores | ObjectFile["Object File"];

          RestoreFile["Restore File"] -.->
            | May Restore | T1055002["Portable Executable Injection"] ;
          class RestoreFile DefensiveTechniqueNode;
          class ObjectFile ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile";                                        FileEviction["File Eviction"] -->
          | deletes | ObjectFile["Object File"];

          FileEviction["File Eviction"] -.->
            | May Evict | T1055002["Portable Executable Injection"] ;
          class FileEviction DefensiveTechniqueNode;
          class ObjectFile ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction";              FileAnalysis["File Analysis"] -->
          | analyzes | ObjectFile["Object File"];

          FileAnalysis["File Analysis"] -.->
            | May Detect | T1055002["Portable Executable Injection"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class ObjectFile ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis";

json