Process Injection, designated as T1055 in the MITRE ATT&CK framework, is a widely used and particularly dangerous method adversaries use to run malicious code in the address space of another process. This approach not only provides the attacker with stealth and evasion capabilities but also allows them to escalate privileges and maintain persistence within a compromised system. By executing harmful payloads within legitimate and trusted processes, malicious actors can obscure their activities, evade defensive tools, and perform lateral movement without detection.
This technique exemplifies the evolving sophistication of cyberattacks, where blending in with normal system operations is a primary objective. Traditional defenses, such as signature-based antivirus or standard application whitelisting, are often ineffective against these methods, which makes Process Injection a favored strategy for advanced persistent threats (APTs), ransomware gangs, and nation-state attackers.
Sub-techniques within T1055
The MITRE ATT&CK framework breaks down Process Injection into several distinct sub-techniques, each exploiting different mechanisms in the operating system to inject code and manipulate process behavior:
T1055.001 – Dynamic-Link Library (DLL) Injection
This method involves inserting a malicious DLL into another process's memory space. Typically, it leverages system calls likeLoadLibraryor API hooks, and then executes the DLL's code using a remote thread. It is one of the most well-known forms of injection and often exploited by commodity malware.T1055.002 – Portable Executable (PE) Injection
This technique writes the contents of a PE file (like an EXE) into the memory of a remote process and then manually executes it. It’s more complex than DLL injection and often used to bypass static file-based detection.T1055.003 – Thread Execution Hijacking
In this form, adversaries manipulate an existing thread of a process to redirect execution flow to injected code, allowing for stealthier attacks without creating new threads or processes.T1055.004 – Asynchronous Procedure Call (APC) Injection
Attackers queue up malicious APCs in the thread of a target process. Once the thread enters an alertable state, the injected code executes, often unnoticed.T1055.005 – Thread Local Storage (TLS) Callbacks
By modifying TLS callback routines within a process, adversaries ensure that their payloads are automatically executed when the process starts, offering a hidden execution point.T1055.008 – Ptrace System Calls
Primarily used on Unix-like systems,ptraceallows one process to observe and control the execution of another. This technique abuses those calls to inject code or manipulate process state.T1055.009 – Proc Memory
In this case, attackers directly modify memory within another process by using APIs such asWriteProcessMemory, often coupled withVirtualAllocExandCreateRemoteThread.T1055.011 – Extra Window Memory Injection
This rare method injects shellcode into the memory space of a GUI application by manipulating its extra window memory structures.T1055.012 – Process Hollowing
A highly stealthy technique, process hollowing involves starting a legitimate process in a suspended state, unmapping its memory, and replacing it with malicious code. Once resumed, the process runs under the guise of a trusted application.T1055.013 – Process Doppelgänging
This exploits a feature of Windows Transactional NTFS to load a malicious executable into a process without actually writing it to disk, evading most forms of file-based detection.T1055.014 – VDSO Hijacking
On Linux systems, the Virtual Dynamic Shared Object (VDSO) can be hijacked to run arbitrary code in user space, bypassing typical security controls.T1055.015 – ListPlanting
This relatively obscure method leverages manipulation of GUI control elements like list views to achieve injection in GUI-heavy applications.
These sub-techniques demonstrate the variety and adaptability of injection methods available to threat actors. Some are more common on Windows, others on Linux, but all are dangerous when successfully deployed.
Problems Caused by Process Injection
One of the primary challenges Process Injection poses is its ability to evade traditional detection mechanisms. Since the injected code executes within the context of a trusted process, most endpoint security solutions—particularly those relying on signatures or known behavior profiles—fail to distinguish between legitimate and malicious actions. This camouflage allows attackers to quietly monitor, manipulate, or exfiltrate data without raising alarms.
Another serious concern is privilege escalation. Injecting into processes that run with higher privileges, such as system services or administrative tools, allows attackers to elevate their own capabilities. Once inside a privileged process, they can disable security tools, gain access to sensitive data, or perform actions restricted to system administrators.
Furthermore, Process Injection is often used for persistence. Malicious code injected into autostart processes or long-running services can survive reboots and persist through security scans. This capability makes eradication particularly difficult unless the exact injection point and behavior are understood and neutralized.
As cybersecurity expert Bruce Schneier once said, “Security is a process, not a product.” Process Injection attacks capitalize precisely on that weakness—by subverting the trusted processes at the heart of our digital infrastructure.
Real-World Example: Stuxnet and Industrial Sabotage
Perhaps the most famous use of Process Injection occurred with the Stuxnet worm, which emerged in 2010 and was reportedly developed as a joint operation between U.S. and Israeli intelligence services to sabotage Iran’s nuclear program. Stuxnet represents a landmark case in both cyberwarfare and technical sophistication.
Stuxnet utilized several injection methods, including DLL injection and process hollowing, to hide its code inside system processes like lsass.exe. Once embedded, it monitored and manipulated Siemens PLCs (programmable logic controllers) by modifying legitimate industrial control commands without detection.
What made Stuxnet particularly insidious was its use of legitimate-sounding processes and digitally signed drivers, which helped it bypass security mechanisms and operate undetected for years. Through precise injection and manipulation, the worm subtly altered the rotation speed of uranium centrifuges while reporting normal operation to control systems, resulting in physical degradation of nuclear infrastructure.
From a technical perspective, Stuxnet’s injection routines were elegant and complex. It patched in-memory function calls, adjusted thread scheduling, and used APC injection to quietly manipulate process behavior. It was one of the first malware strains to blend cyber-physical impact with stealthy code injection, setting a precedent for future state-sponsored cyberattacks.
Defense and Mitigation Strategies
Defending against Process Injection requires a combination of behavior analysis, memory monitoring, and proactive system hardening. Because these techniques often bypass static defenses, organizations must adopt dynamic and adaptive security solutions.
Behavioral monitoring is a key strategy. Endpoint Detection and Response (EDR) platforms can flag anomalies like a user process spawning unexpected remote threads or allocating executable memory. These tools monitor system calls and execution paths to detect behaviors that diverge from the norm, even when they originate from a legitimate process.
Application whitelisting also plays a crucial role. By allowing only known-good processes and binaries to execute, organizations can reduce the risk of malicious payloads being launched—even if they are injected. However, this approach requires rigorous maintenance and can create operational complexity if not implemented carefully.
System-level protections such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) provide foundational defenses. DEP prevents code execution in non-executable memory regions, while ASLR randomizes memory layouts, making it more difficult for injected code to predictably run.
Timely software patching is essential as many injection techniques rely on exploiting unpatched vulnerabilities in operating systems or third-party applications. Ensuring that security updates are applied consistently across endpoints can significantly reduce attack surfaces.
Finally, educating users remains a powerful layer of defense. Many injection attacks begin with phishing emails or malicious document downloads. Training users to identify suspicious behavior, avoid unverified downloads, and report anomalies can prevent the initial compromise that leads to injection.
As cybersecurity expert Kevin Mitnick once noted, “Companies spend millions of dollars on firewalls, encryption and secure access devices, and it’s money wasted because none of these measures address the weakest link in the security chain—the people who use, administer, operate and account for computer systems.”
Mitigating Process Injection
Process Injection remains one of the most potent and insidious techniques in the arsenal of threat actors. By exploiting the trust placed in legitimate processes, it enables attackers to bypass defenses, escalate privileges, and maintain long-term access to critical systems. Whether through DLL injection, process hollowing, or APC hijacking, the impact is often profound and far-reaching.
Through examples like Stuxnet, we’ve seen how Process Injection can evolve from a technical curiosity into a weapon of geopolitical significance. The consequences extend beyond digital boundaries—sometimes into the physical world. Defenders must remain vigilant, adopting not only technical countermeasures but also cultivating a culture of security awareness and proactive threat hunting.
In the constantly evolving landscape of cyber threats, understanding techniques like T1055 is not optional—it’s essential.
Keep this series going!
Thank you. I enjoy the real-world examples.