T1055: Process Injection

T1055 sits at the intersection of two critical ATT&CK tactics: Defense Evasion and Privilege Escalation. It serves both simultaneously. By injecting code into a process that already has elevated permissions, the attacker inherits those permissions without triggering a separate privilege escalation event. By running inside a process the operating system and security tools trust, the attacker evades detection controls that rely on process reputation, binary signatures, and file-based scanning.

Process injection is not a single method — it is a family of twelve distinct sub-techniques, each exploiting different operating system mechanisms for loading code into memory. What they share is the outcome: malicious code running inside a legitimate process, invisible to defenders looking at the process list.

How Process Injection Works

The fundamental mechanism follows a four-phase pattern, regardless of which specific sub-technique is used:

Phase 1 — Target Selection. The attacker identifies a running process to inject into. The ideal target is a process that runs with elevated privileges, is expected to maintain network connections, and is present on virtually every system. Common targets include svchost.exe, explorer.exe, rundll32.exe, lsass.exe, and browser processes like chrome.exe. Attackers may hardcode a specific target, iterate through a list of preferred processes, or enumerate running processes at runtime to find a suitable host.

Phase 2 — Memory Allocation. The attacker allocates memory within the target process's address space. On Windows, this typically involves the VirtualAllocEx API call with PAGE_EXECUTE_READWRITE permissions. This creates a region of memory inside the target process that can hold and execute the attacker's code. More sophisticated variants avoid this step entirely by overwriting existing executable memory regions, such as the .text section of a loaded DLL.

Phase 3 — Code Writing. The malicious payload — shellcode, a DLL, or a portable executable — is written into the allocated memory region. The standard Windows API for this is WriteProcessMemory. The payload could be a full-featured backdoor, a credential stealer, a command-and-control implant, or simply a loader that fetches the next stage from a remote server.

Phase 4 — Execution Trigger. The attacker triggers execution of the injected code. The method varies by sub-technique: CreateRemoteThread spawns a new thread in the target process, QueueUserAPC queues code to execute when a thread enters an alertable state, or the attacker modifies an existing thread's instruction pointer via SetThreadContext to redirect execution to the injected payload.

Once all four phases complete, the malicious code runs within the security context of the target process. Any network connections it opens, files it accesses, or registry keys it modifies appear to originate from the trusted process. To the operating system, to the EDR agent, and to the analyst watching the dashboard, everything looks normal.

Sub-Techniques

MITRE ATT&CK version 16.1 defines twelve sub-techniques under T1055, each exploiting different OS mechanisms. The following are the variants observed with the highest frequency in the wild:

T1055.001 — Dynamic-link Library (DLL) Injection

DLL injection is the classic and still one of the most prevalent forms of process injection. The attacker writes the path to a malicious DLL into the target process's memory using VirtualAllocEx and WriteProcessMemory, then invokes CreateRemoteThread to call LoadLibrary within that process. The operating system loads the DLL into the target process just as it would any legitimate library. A more advanced variant known as Module Stomping or DLL Hollowing overwrites the memory of an already-loaded legitimate DLL with malicious code, making the injected payload appear to be a known system library.

T1055.012 — Process Hollowing

Process hollowing creates a new instance of a legitimate process — typically a Windows system binary like svchost.exe — in a suspended state using CreateProcess with the CREATE_SUSPENDED flag. The attacker then unmaps the legitimate executable image from memory using NtUnmapViewOfSection, replaces it with the malicious payload via VirtualAllocEx and WriteProcessMemory, adjusts the thread context to point to the new entry point, and resumes the process with ResumeThread. From the outside, the process looks exactly like a normal system binary — it has the correct file path, command-line arguments, and parent-child relationship. But the code running inside is entirely attacker-controlled.

T1055.003 — Thread Execution Hijacking

Rather than creating a new, potentially suspicious thread, this technique hijacks an existing thread within the target process. The attacker suspends a running thread with SuspendThread, reads its current state with GetThreadContext, modifies the instruction pointer (EIP/RIP register) to redirect execution to the injected shellcode, applies the changes with SetThreadContext, and resumes the thread with ResumeThread. This is stealthier than CreateRemoteThread because no new thread is created — the legitimate thread simply begins executing malicious code at its next scheduled execution cycle.

T1055.004 — Asynchronous Procedure Call (APC) Injection

APC injection queues malicious code to execute the next time a thread enters an alertable wait state. The attacker calls QueueUserAPC with a pointer to the injected shellcode and a handle to a thread in the target process. When that thread next calls a function that triggers an alertable state (such as SleepEx, WaitForSingleObjectEx, or certain I/O operations), the queued APC executes. A more aggressive variant known as "early bird" injection targets threads in a newly created suspended process, ensuring the APC fires before any security hooks or monitoring agents initialize.

T1055.002 — Portable Executable (PE) Injection

Instead of writing a DLL path and loading it through the Windows loader, PE injection copies an entire executable image directly into the target process's memory and manually resolves imports, relocations, and entry points. Because the injected PE is never loaded through the standard LoadLibrary path, it does not appear in the process's loaded modules list — making it invisible to tools that enumerate DLLs.

T1055.008 — Ptrace System Calls (Linux)

On Linux systems, the ptrace system call — designed for debugging — provides the ability to attach to a running process, read and write its memory, and modify register values. Adversaries abuse ptrace with PTRACE_ATTACH and PTRACE_POKETEXT to inject shellcode into running processes. This technique is less common than Windows-based injection but is employed in Linux-targeted malware and post-exploitation frameworks operating in server environments.

Other Sub-Techniques

The remaining sub-techniques include Thread Local Storage injection (T1055.005), which abuses TLS callback mechanisms; Proc Memory (T1055.009), which writes to /proc/[pid]/mem on Linux; Extra Window Memory injection (T1055.011), which exploits additional memory allocated by Windows GUI classes; Process Doppelganging (T1055.013), which abuses NTFS transactions to create process images that never touch disk; VDSO Hijacking (T1055.014), which targets the virtual dynamic shared object in Linux; and ListPlanting (T1055.015), which manipulates listview message handling.

Why Process Injection Dominates the Threat Landscape

The Picus Red Report 2026 describes the emergence of the "Digital Parasite" — a fundamental shift in adversary philosophy from disruptive smash-and-grab attacks to parasitic silent residency. Process injection is the cornerstone of this shift. It enables three capabilities that modern attackers prioritize above all else:

Stealth through legitimacy. Traditional endpoint security relies on process reputation, binary signatures, and parent-child process analysis. When malicious code runs inside svchost.exe or explorer.exe, these heuristics fail. The process is legitimate. The binary on disk is clean. The parent-child tree is normal. Only behavioral analysis of what the process is doing — not what the process is — has any chance of detecting the intrusion.

Fileless operation. Process injection enables entirely in-memory execution. The malicious payload never touches the disk as a standalone file, which means file-based scanning, hash comparisons, and disk forensics find nothing. This is why the Picus report found that Defense Evasion, Persistence, and C2 techniques now account for 80% of the top ten ATT&CK techniques — modern malware is built to live undetected, not to cause immediate damage.

Privilege inheritance. If the target process runs as SYSTEM, the injected code runs as SYSTEM. If the target process has network access, the injected code has network access. Attackers get privilege escalation as a side effect of choosing the right host process, without needing a separate exploit or UAC bypass.

Real-World Case Studies

Cobalt Strike — The Framework That Weaponized Process Injection

Cobalt Strike, originally a legitimate red team tool, has become the single most common post-exploitation framework observed in real-world intrusions. Its Beacon payload uses process injection as its default execution mechanism. The "fork and run" model creates a temporary sacrificial process (typically rundll32.exe), injects a post-exploitation job into it, executes, and then kills the process. Version 4.12 (December 2025) expanded injection capabilities with multiple built-in implementations selectable through a configuration dialog, including options for APC injection, thread hijacking, and custom BOF-based techniques. Virtually every major ransomware group, initial access broker, and APT actor has been observed using Cobalt Strike's injection features, including Conti, REvil, Black Basta, FIN7, and APT41.

APT41 — Process Injection in State-Sponsored Espionage

APT41, the Chinese state-linked threat group that conducts both espionage and financially motivated operations, has repeatedly used process injection across campaigns targeting government, healthcare, manufacturing, and technology organizations worldwide. In operations documented by Mandiant and Cisco Talos, APT41 deployed ShadowPad and Cobalt Strike payloads through DLL injection and process hollowing, using DLL side-loading with legitimate signed executables as the initial injection vector. Their subgroup Earth Longzhi used custom Cobalt Strike loaders dubbed "Symatic" that specifically removed API hooks before performing process injection — directly countering the detection mechanisms that security tools rely on. APT41's methodology demonstrates how state-sponsored actors build process injection into every phase of their operations, from initial payload execution through persistence and lateral movement.

UNC3886 — Ghost in the Router

In March 2025, Mandiant disclosed that the China-nexus espionage actor UNC3886 had been targeting Juniper Networks routers using process injection techniques to deploy custom backdoors. The group exploited vulnerabilities in network infrastructure to inject malicious code into router processes — extending process injection beyond traditional endpoint operating systems into network hardware. The campaign, which Juniper documented as the "RedPenguin Malware Incident," demonstrated that process injection is no longer limited to Windows endpoints. Attackers are now applying the same principles to embedded systems, routers, and other infrastructure devices where security monitoring is minimal.

RedLine Stealer — Commodity Malware at Scale

RedLine Stealer, one of the most widely distributed infostealers in the wild, uses process injection as its primary execution mechanism. The malware targets the Visual Basic Compiler (vbc.exe) associated with the .NET Framework, injecting its credential-harvesting payload into this legitimate process. By operating within vbc.exe, RedLine avoids detection by endpoint security tools that focus on identifying suspicious standalone executables. This demonstrates that process injection is not just a tool of sophisticated APT groups — it is standard practice in commodity malware distributed through underground marketplaces.

LummaC2 — Malware That Does Math

The Picus Red Report 2026 highlighted LummaC2 as an example of how process injection has evolved alongside anti-analysis techniques. Before injecting its payload, LummaC2 performs trigonometric calculations on mouse movement patterns — measuring the Euclidean distance of mouse angles to determine whether the movement is being generated by a human user or an automated security sandbox. If the mouse moves with the perfect consistency of an automated tool, the malware refuses to proceed with injection, effectively "playing dead" until it determines it is running on a real victim system. This pairing of process injection with sophisticated sandbox evasion (T1497) represents the current state of the art in stealth malware.

Detection Strategies

Detecting process injection is among the most challenging problems in endpoint security. The fundamental difficulty is that the APIs used for process injection — VirtualAllocEx, WriteProcessMemory, CreateRemoteThread — are also used by legitimate software including debuggers, accessibility tools, antivirus products, and game engines. Detection must rely on behavioral context and correlation rather than API monitoring alone.

Key Sysmon and Windows Event IDs

Event ID	Source	What It Captures
Sysmon 1	Process Creation	New process creation with full command line and parent process details — critical for detecting process hollowing where a process starts suspended then resumes with different behavior
Sysmon 7	Image Loaded	DLL loading events — flag DLLs loaded from unexpected paths (temp directories, user profiles, ProgramData) into system processes
Sysmon 8	CreateRemoteThread	Detects when a process creates a thread in another process — the most direct indicator of classic DLL injection and the single most important event for T1055 detection
Sysmon 10	ProcessAccess	Logs when a process opens a handle to another process — required for memory allocation and writing. Monitor for access to lsass.exe and other sensitive processes with PROCESS_VM_WRITE permissions
Sysmon 11	FileCreate	New file creation — detects DLLs being dropped to disk before injection. Note: fileless injection variants bypass this entirely
4688	Security	Process creation with command-line logging — enables detection of suspicious process creation patterns associated with process hollowing (e.g., svchost.exe started without the -k parameter)
7045	System	New service installation — attackers often register injected payloads as services for persistence after the initial injection

Detection Queries

Remote Thread Creation into System Processes — Detects the most common process injection pattern where a non-system process creates a thread inside a system process:

index=sysmon EventCode=8
| where TargetImage IN ("*\\svchost.exe", "*\\explorer.exe", "*\\lsass.exe",
    "*\\rundll32.exe", "*\\spoolsv.exe", "*\\winlogon.exe")
| where NOT SourceImage IN ("*\\MsMpEng.exe", "*\\csrss.exe", "*\\svchost.exe")
| stats count by SourceImage, TargetImage, SourceProcessId, Computer
| where count < 3

Suspicious Process Hollowing Indicators — Identifies processes that were created with anomalous characteristics, such as svchost.exe running without the expected -k parameter:

index=sysmon EventCode=1
| where Image="*\\svchost.exe"
| where NOT CommandLine="*-k *"
| where NOT ParentImage IN ("*\\services.exe", "*\\MsMpEng.exe")
| table _time, Computer, ParentImage, ParentCommandLine, CommandLine, User

DLL Loading from Anomalous Paths — Flags DLLs loaded into system processes from non-standard directories, which may indicate DLL injection or DLL side-loading as a precursor to injection:

index=sysmon EventCode=7
| where Image IN ("*\\svchost.exe", "*\\explorer.exe", "*\\rundll32.exe")
| where NOT ImageLoaded="C:\\Windows\\*"
    AND NOT ImageLoaded="C:\\Program Files*"
| stats count by Image, ImageLoaded, Computer
| sort - count

Advanced Behavioral Indicators

Beyond individual event monitoring, the following behavioral patterns indicate process injection when observed in combination:

Indicator	What to Look For
RWX memory regions	Processes with memory regions marked as read-write-execute that were not present at startup — the hallmark of injected code
In-memory vs. on-disk mismatch	Processes where the loaded image in memory does not match the on-disk binary, indicating code injection or hollowing
Anomalous network connections	System processes like svchost.exe or notepad.exe making outbound connections to external IP addresses — injected C2 implants communicating through the host process
Unexpected child processes	System processes spawning command interpreters (cmd.exe, powershell.exe) or other unusual child processes — indicates an injected payload executing post-exploitation commands
API call sequences	Sequences of OpenProcess > VirtualAllocEx > WriteProcessMemory > CreateRemoteThread from a single source process within a short time window
Unsigned code in signed processes	Executable memory regions within signed system processes that contain unsigned code — use EDR memory scanning capabilities to detect

Linux-Specific Detection

On Linux systems, monitor the /proc/sys/kernel/yama/ptrace_scope setting and audit calls to ptrace (specifically PTRACE_ATTACH and PTRACE_POKETEXT) using auditd rules. Track processes attempting to access /proc/[pid]/mem of other processes. Any ptrace activity from non-debugging tools warrants investigation.

Known Threat Actors Using T1055

T1055 has one of the largest documented threat actor lists of any ATT&CK technique. The following represent a cross-section of active groups known to employ process injection:

Actor	Origin	Context
APT41 / Winnti	China	DLL injection and process hollowing via ShadowPad and Cobalt Strike across espionage and financially motivated campaigns
Lazarus Group	North Korea	Process injection in financial theft operations and supply chain attacks including the 3CX compromise
UNC3886	China	Process injection into network router processes targeting Juniper infrastructure
Turla / Snake	Russia	IronNetInjector, Gazer, and Carbon implants using DLL injection and custom injection tools
APT28 / Fancy Bear	Russia	Sofacy and Zebrocy implants using PE injection for post-exploitation operations
FIN7	Russia	Process injection via modified pen-testing toolkits disguised as legitimate security tools
Kimsuky	North Korea	RokRat and Gh0stRAT deployment through VBA-initiated process injection
FIN12	Russia	Ryuk and Conti ransomware deployment through Cobalt Strike process injection
PLATINUM	Southeast Asia	Custom injection techniques targeting government networks in South and Southeast Asia
Velvet Ant	China	Process injection via F5 load balancer exploitation for persistence in telecom networks

Beyond state-sponsored actors, process injection is embedded in virtually every major red team framework (Cobalt Strike, Metasploit, Sliver, Brute Ratel) and commercial RAT family (Agent Tesla, Remcos, Warzone, NjRAT, Netwire). This means defenders encounter T1055 across the full spectrum — from commodity cybercrime to the most sophisticated espionage operations.

Defensive Recommendations

1. Deploy EDR with behavioral memory analysis: Signature-based and process-reputation approaches are fundamentally insufficient against process injection. EDR solutions must monitor for in-memory anomalies: RWX memory regions in processes that should not have them, in-memory images that differ from on-disk binaries, and code execution from regions not backed by legitimate modules. Test your EDR against process injection specifically — research indicates that traditional controls miss injection activity in over 20% of cases.
2. Enable and tune Sysmon comprehensively: Deploy Sysmon with a configuration that captures Event IDs 1, 7, 8, 10, and 11 at minimum. Sysmon Event ID 8 (CreateRemoteThread) is the single most important telemetry source for process injection detection. Without it, visibility into the most common injection vector is effectively zero.
3. Enable Windows Exploit Protection: Configure system-wide mitigations including Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Control Flow Guard (CFG). These raise the bar for exploitation by preventing code execution from non-executable memory regions and disrupting control flow hijacking. Enable per-application hardening for browsers, PDF readers, and office suites.
4. Restrict process access permissions: Use Windows Defender Credential Guard to protect lsass.exe from process access. Implement application control policies (Windows Defender Application Control or AppLocker) to restrict which processes can load DLLs and from which directories. Configure protected processes light (PPL) for critical system services.
5. Monitor and restrict API usage: While API-level monitoring generates high volumes of telemetry, correlating sequences of injection-related API calls (OpenProcess + VirtualAllocEx + WriteProcessMemory + CreateRemoteThread) from a single source within a short window provides high-fidelity detection with manageable noise.
6. Implement parent-child process validation: Build and enforce baseline rules for expected parent-child process relationships. svchost.exe should only be spawned by services.exe. explorer.exe should not spawn cmd.exe or powershell.exe during normal operations. Process hollowing breaks these expected relationships in subtle ways that behavioral rules can detect.
7. Enforce ptrace restrictions on Linux: Set /proc/sys/kernel/yama/ptrace_scope to 1 or higher to restrict which processes can use ptrace. Scope 1 limits ptrace to direct parent processes only. Scope 2 restricts it to root. Scope 3 disables it entirely. Combined with auditd rules for ptrace calls, this significantly reduces the Linux injection surface.
8. Validate defenses through simulation: Use red team tools (Atomic Red Team, Caldera, or commercial BAS platforms) to simulate the specific sub-techniques of T1055 against your production environment. Test DLL injection, process hollowing, APC injection, and thread hijacking individually. Measure which ones your current controls detect, which ones generate alerts, and which ones pass through unnoticed. The gap between "we have EDR" and "our EDR detects process hollowing" is where attackers live.

MITRE ATT&CK Mapping

Field	Value
Technique ID	T1055
Technique Name	Process Injection
Tactics	Defense Evasion, Privilege Escalation
Platforms	Windows, Linux, macOS
Sub-Techniques	T1055.001 DLL Injection, T1055.002 PE Injection, T1055.003 Thread Execution Hijacking, T1055.004 APC Injection, T1055.005 Thread Local Storage, T1055.008 Ptrace System Calls, T1055.009 Proc Memory, T1055.011 Extra Window Memory Injection, T1055.012 Process Hollowing, T1055.013 Process Doppelganging, T1055.014 VDSO Hijacking, T1055.015 ListPlanting
Data Sources	Process (OS API Execution, Access, Modification), Module (Load), File (Modification)
Defenses Bypassed	Anti-virus, Application Control, Host Intrusion Prevention Systems
MITRE Reference	attack.mitre.org/techniques/T1055

Sources and References

• MITRE ATT&CK — T1055 Process Injection: attack.mitre.org
• Picus Security — Red Report 2026 and Red Report 2025: picussecurity.com
• Mandiant — Ghost in the Router: UNC3886 Targets Juniper Routers (March 2025): cloud.google.com
• Palo Alto Networks — Process Injection Explained: paloaltonetworks.com
• ACM Asia CCS 2025 — Process Injection in Windows Malware (2017-2023 Analysis): dl.acm.org