Portable Executable Injection - T1055.002 (806a49c4-970d-43f9-9acc-ac0ee11e6662)
Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.
PE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx
and WriteProcessMemory
, then invoked with CreateRemoteThread
or additional code (ex: shellcode). The displacement of the injected code does introduce the additional requirement for functionality to remap memory references. (Citation: Elastic Process Injection July 2017)
Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via PE injection may also evade detection from security products since the execution is masked under a legitimate process.
Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
---|---|---|---|---|
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) | Attack Pattern | Portable Executable Injection - T1055.002 (806a49c4-970d-43f9-9acc-ac0ee11e6662) | Attack Pattern | 1 |