Esc
Thread Execution Hijacking - T1055.003
(ATT&CK® Technique)
Definition
Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1055003["Thread Execution Hijacking"] --> |invokes| SystemCall["System Call"]; class T1055003 OffensiveTechniqueNode;
class SystemCall ArtifactNode; click SystemCall href "/dao/artifact/d3f:SystemCall";
click T1055003 href "/offensive-technique/attack/T1055.003/"; click SystemCall href "/dao/artifact/d3f:SystemCall"; T1055003["Thread Execution Hijacking"] --> |may-add| ExecutableBinary["Executable Binary"]; class T1055003 OffensiveTechniqueNode;
class ExecutableBinary ArtifactNode; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary";
click T1055003 href "/offensive-technique/attack/T1055.003/"; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary"; DecoyFile["Decoy File"] -->
| spoofs | ExecutableBinary["Executable Binary"];
DecoyFile["Decoy File"] -.->
| May Deceive | T1055003["Thread Execution Hijacking"] ;
class DecoyFile DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | ExecutableBinary["Executable Binary"];
DynamicAnalysis["Dynamic Analysis"] -.->
| May Detect | T1055003["Thread Execution Hijacking"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | ExecutableBinary["Executable Binary"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| May Detect | T1055003["Thread Execution Hijacking"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; SystemCallAnalysis["System Call Analysis"] -->
| analyzes | SystemCall["System Call"];
SystemCallAnalysis["System Call Analysis"] -.->
| May Detect | T1055003["Thread Execution Hijacking"] ;
class SystemCallAnalysis DefensiveTechniqueNode;
class SystemCall ArtifactNode;
click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; LocalFilePermissions["Local File Permissions"] -->
| restricts | ExecutableBinary["Executable Binary"];
LocalFilePermissions["Local File Permissions"] -.->
| May Harden | T1055003["Thread Execution Hijacking"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; FileEncryption["File Encryption"] -->
| encrypts | ExecutableBinary["Executable Binary"];
FileEncryption["File Encryption"] -.->
| May Harden | T1055003["Thread Execution Hijacking"] ;
class FileEncryption DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | ExecutableBinary["Executable Binary"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| May Detect | T1055003["Thread Execution Hijacking"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
| deletes | ExecutableBinary["Executable Binary"];
FileEviction["File Eviction"] -.->
| May Evict | T1055003["Thread Execution Hijacking"] ;
class FileEviction DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; SystemCallFiltering["System Call Filtering"] -->
| filters | SystemCall["System Call"];
SystemCallFiltering["System Call Filtering"] -.->
| May Isolate | T1055003["Thread Execution Hijacking"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class SystemCall ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; FileAnalysis["File Analysis"] -->
| analyzes | ExecutableBinary["Executable Binary"];
FileAnalysis["File Analysis"] -.->
| May Detect | T1055003["Thread Execution Hijacking"] ;
class FileAnalysis DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | ExecutableBinary["Executable Binary"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| May Isolate | T1055003["Thread Execution Hijacking"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | ExecutableBinary["Executable Binary"];
ExecutableDenylisting["Executable Denylisting"] -.->
| May Isolate | T1055003["Thread Execution Hijacking"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; RestoreFile["Restore File"] -->
| restores | ExecutableBinary["Executable Binary"];
RestoreFile["Restore File"] -.->
| May Restore | T1055003["Thread Execution Hijacking"] ;
class RestoreFile DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile";