Process Injection (T1055)

View on ATT&CK

In Playbook

Associated Tactics

  • Defense Evasion
  • Privilege Escalation

Defense Evasion (TA0005)

The adversary is trying to avoid being detected. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

View on ATT&CK

Procedure Examples

Description Source(s)
GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved December 20, 2017. GNU Acct
Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017. Elastic Process Injection July 2017
Jahoda, M. et al.. (2017, March 14). redhat Security Guide - Chapter 7 - System Auditing. Retrieved December 20, 2017. RHEL auditd
Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved December 20, 2017. ArtOfMemoryForensics
Russinovich, M. & Garnier, T. (2017, May 22). Sysmon v6.20. Retrieved December 13, 2017. Microsoft Sysmon v6 May 2017
stderr. (2014, February 14). Detecting Userland Preload Rootkits. Retrieved December 20, 2017. Chokepoint preload rootkits