What is process injection (T1055)?

Process injection (T1055) is a MITRE ATT&CK® technique in which adversaries inject malicious code or DLLs into the address space of a legitimate running process. Once injected, the malicious code executes under the security context and identity of the host process, inheriting its privileges, network access rights, and the trust relationship that security tools extend to known-good processes.

Process injection is one of the most powerful techniques in the adversary toolkit precisely because it separates the identity of the executing process from the origin of the executing code. A security tool examining running processes by name and signature will see only the legitimate host process. The injected malicious code is invisible unless the tool inspects memory contents and thread origins. Log360 maps 39+ pre-built correlation rules to T1055, targeting the system call patterns, cross-process access events, and behavioral anomalies that injection inevitably produces even when the host process itself is clean.

Where T1055 fits in the ATT&CK chain: T1055 is classified under both TA0005 — Defense evasion and TA0004 — Privilege escalation. As a defense evasion technique, it hides malicious execution inside trusted processes. As a privilege escalation technique, it enables attackers to inherit the elevated privileges of high-value targets like lsass.exe, winlogon.exe, or SYSTEM-context services. It frequently combines with obfuscated files (T1027) to deliver the injected payload in an encoded form that avoids pre-injection scanning.

How attackers use process injection

Process injection enables two distinct attacker objectives simultaneously, evasion and privilege inheritance, through a variety of Windows API mechanisms:

  1. Remote thread injection: The attacker calls VirtualAllocEx to allocate memory in a target process, WriteProcessMemory to write shellcode or a DLL path to that memory, and CreateRemoteThread to start a thread in the target process that executes the injected code. This is the most common injection method and the one that Sysmon Event ID 8 (CreateRemoteThread) was specifically designed to detect.
  2. DLL injection: A specific form of remote thread injection where the attacker writes the path of a malicious DLL to the target process's memory, then creates a remote thread whose start address points to the LoadLibrary function. The target process loads the attacker's DLL and executes its DllMain function under the process's own identity.
  3. Process hollowing: The attacker creates a new process in a suspended state (often a legitimate Windows binary), replaces the legitimate executable in memory with malicious code using ZwUnmapViewOfSection and WriteProcessMemory, then resumes the process. The OS sees a legitimate process image path, but the executing code is entirely attacker-controlled. Log360's Potential Pikabot Hollowing Activity rule targets this specific pattern.
  4. Thread execution hijacking: The attacker opens a handle to an existing thread in a target process, suspends it, overwrites its execution context (CONTEXT structure) to redirect execution to injected code, then resumes the thread. This avoids creating new threads and is harder to detect than remote thread injection.
  5. DLL sideloading: The attacker places a malicious DLL with a name matching a DLL that a legitimate application loads by relative path. The application's own loader injects the attacker's DLL without any OpenProcess or CreateRemoteThread calls, making standard injection detection rules ineffective. Log360's Potential DLL Sideloading Using Coregen.exe rule addresses this specific vector.

Process injection in real-world incidents

Process injection is a standard technique in both commodity malware and sophisticated APT tooling:

  • Cobalt Strike: The most widely used red team and attacker framework uses process injection as a core capability, injecting its Beacon payload into legitimate processes like svchost.exe, rundll32.exe, and dllhost.exe to achieve persistence under trusted process identities.
  • GuLoader and Pikabot: Both loaders use process hollowing to execute their payloads inside hollowed legitimate Windows processes. Log360's dedicated rules for these malware families detect their specific hollowing implementation patterns.
  • Lummac Stealer: Uses process injection via the More.com and Vbc.exe combination to execute its credential harvesting payload inside a legitimate process context, making network connections from the host process appear benign.

Sub-techniques and variants

MITRE ATT&CK documents several sub-techniques under T1055, each with distinct API usage patterns and detection characteristics:

  • T1055.001 — DLL injection: Writing a malicious DLL path to a target process and creating a remote thread pointing to LoadLibrary, causing the target to load the attacker's DLL.
  • T1055.002 — PE injection: Injecting a complete portable executable (PE) image into a target process's memory space rather than a DLL, then redirecting execution to the PE's entry point.
  • T1055.003 — Thread execution hijacking: Suspending an existing thread, overwriting its context to redirect execution to injected code, then resuming.
  • T1055.012 — Process hollowing: Creating a legitimate process in suspended state, evacuating its memory, replacing it with malicious code, and resuming execution under the legitimate process's identity.
  • T1055.013 — Process doppelganging: Using Windows Transactional NTFS (TxF) to create and rollback a transaction containing a malicious file, then using the transactional handle to create a process from the malicious image before the transaction is rolled back.

Detection indicators for T1055

Process injection is a memory-resident technique, but it consistently produces detectable signals at the system call and behavioral level even when no malicious file exists on disk:

Cross-process thread creation (Sysmon Event ID 8)

Sysmon's CreateRemoteThread event fires whenever a process creates a thread in another process's address space. Legitimate use of this API is rare outside of debugging tools. Most process injection attacks require CreateRemoteThread to start execution of the injected code. Log360 correlates Event ID 8 against the caller and target process pair. Injection into high-value targets like lsass.exe, svchost.exe, or winlogon.exe from unexpected callers is a Critical-severity indicator.

Process access with suspicious permissions (Sysmon Event ID 10)

Before injecting, an attacker must open a handle to the target process with PROCESS_VM_WRITE and PROCESS_CREATE_THREAD access rights. Sysmon Event ID 10 (ProcessAccess) logs these cross-process handle operations. An unexpected process requesting write access to a high-value target process is a strong injection precursor indicator.

Unexpected network connections from host processes

When injection is used to deploy a C2 agent, the injected code initiates network connections from the host process identity. A process like notepad.exe or calc.exe establishing an outbound network connection is a reliable behavioral indicator that a foreign thread is executing within it. Log360's Network Connection Initiated Via Notepad.EXE rule specifically targets this pattern.

Hollowing and unpacking artefacts

Process hollowing produces characteristic memory operation sequences: ZwUnmapViewOfSection or NtUnmapViewOfSection followed by VirtualAllocEx and WriteProcessMemory against a newly created process in SUSPENDED state. Sysmon's process access and image load events capture enough of this sequence to surface hollowing activity through behavioral correlation.

Log360 detection rules for T1055

Log360 ships with 39+ pre-built correlation rules directly mapped to Process injection (T1055). Rules cover injection via remote thread creation, DLL sideloading, process hollowing, and behavioral anomalies in trusted processes hosting injected code:

Rule name Platform Severity What it detects
PowerShell ShellCode Windows Critical Detects PowerShell commands that load and execute shellcode, the initial delivery stage of many process injection chains where PowerShell acts as the injector into a target process
Potential Pikabot Hollowing Activity Sysmon, Windows Critical Identifies process creation and memory operation patterns associated with the Pikabot loader's process hollowing implementation, creating suspended Windows processes and replacing their memory with malicious payload content
Injected Browser Process Spawning Rundll32 — GuLoader Activity Sysmon, Windows Critical Detects GuLoader's injection pattern where a browser process with injected code spawns rundll32.exe, a specific parent-child process relationship produced by GuLoader's injection and payload execution chain
Network Connection Initiated Via Notepad.EXE Sysmon Trouble Flags outbound network connections initiated by notepad.exe, a process that has no legitimate reason to establish network connections and is commonly used as an injection host because it is trusted and always available
DotNet CLR DLL Loaded By Scripting Applications Sysmon Trouble Detects .NET Common Language Runtime DLLs loaded by script hosts (cscript, wscript) or other scripting applications, an indicator of .NET assembly injection where a script is used to inject managed code into the runtime of another process
Potential DLL Sideloading Using Coregen.exe Sysmon Trouble Identifies abuse of coregen.exe (Microsoft Core CLR Code Generator) for DLL sideloading, placing a malicious DLL with a name matching a dependency that coregen loads by relative path, causing the trusted binary to load attacker-controlled code
Lummac Stealer Activity — Execution Of More.com And Vbc.exe Sysmon, Windows Critical Detects the specific process execution chain used by Lummac Stealer, which uses more.com and vbc.exe in sequence as part of its injection chain to execute credential-stealing payload under a trusted process identity
Additional process injection detection rules (30+ rules) Windows, Sysmon Critical / Trouble Covers DLL sideloading variants, additional process hollowing indicators, Microsoft Sync Center injection abuse, cross-process thread creation patterns, and unexpected network connections from normally network-silent processes

Coverage note: Log360's T1055 detection rules combine generic injection mechanism detection (CreateRemoteThread monitoring, unexpected process network connections) with malware-specific rules for known injection frameworks. Generic rules catch novel injection tools; malware-specific rules catch known campaigns early with high confidence. Together they provide layered coverage that neither approach achieves alone.

Investigation steps

When Log360 fires a Process injection (T1055) alert, follow this sequence to confirm injection, identify the injected payload, and scope the impact:

  1. Identify the injection source and target: Determine which process initiated the injection (the caller in Event ID 8 or 10) and which process was targeted. The source process is the injector; the target is the execution host. Assess whether the caller process is itself compromised or whether it is a legitimate tool being abused.
  2. Analyze the target process behavior: After injection, the target process's behavior changes. Look for outbound network connections, file writes, registry modifications, or child process spawning that is inconsistent with the target process's normal behavior profile. These secondary actions reveal the injected payload's intent.
  3. Collect memory evidence: If the target process is still running, capture a memory dump using Windows Task Manager, ProcDump, or your EDR platform before any remediation. Memory analysis is the most reliable method to recover the injected shellcode or DLL, which may not exist as a file on disk.
  4. Trace the injection chain backward: Identify what caused the injector process to execute. Review the parent process of the injector, its network connections before injection occurred, and any files it created. Trace the chain back to the initial access vector — phishing email, web exploit, or supply chain compromise.
  5. Check for persistence established by injected code: Injected payloads frequently establish persistence before exiting. Review newly created scheduled tasks (Event ID 4698), new services (Event ID 7045), registry run key additions, and new startup folder files created around the time of the injection event.
  6. Assess lateral movement from injected process: Injected code in a privileged process can perform lateral movement using the inherited credentials. Check for SMB connections, remote WMI calls, and PowerShell remoting sessions originating from the target process after the injection timestamp.

Response playbook

  • Collect memory before terminating the injected process: Terminating the target process destroys the only copy of the injected payload if it is memory-only. Always capture a memory dump first. Use ProcDump with -ma [pid] to capture a full memory dump of the target process.
  • Isolate the affected host: Injected code with C2 connectivity can receive tasking for further lateral movement. Network isolation prevents the attacker from issuing additional commands through the injected agent before the investigation is complete.
  • Terminate the target process and all related processes: After memory acquisition and isolation, terminate the target process containing injected code and any child processes it spawned. Kill the injector process as well, as it may be a persistence mechanism that will re-inject on restart.
  • Remove discovered persistence mechanisms: If the injected payload created scheduled tasks, services, or registry run entries, remove all of them. Verify removal by checking the registry and task scheduler against the pre-incident baseline.
  • Re-image or fully audit the host: Process injection is a complex technique. Unless a complete forensic inventory of all changes made by the injected payload can be performed, the safest response is to re-image the affected host from a known-good baseline. Partial remediation risks leaving attacker artefacts that enable re-entry.
  • Deploy Sysmon if not already present: If the injection was not detected through Sysmon events (Event ID 8, 10), prioritize deploying Sysmon with a comprehensive configuration on all monitored endpoints. Sysmon's process access monitoring provides the telemetry required for reliable injection detection.

ManageEngine Log360 for T1055 detection

Log360's 39+ pre-built process injection detection rules combine behavioral anomaly detection (unexpected network connections from trusted processes, cross-process thread creation) with malware-specific rules for known injection frameworks. Sysmon integration provides the deep process telemetry (Event ID 8, 10, and 7) that makes memory-only injection techniques detectable through behavioral signatures rather than file-based scanning.

Download free trial Schedule a demo

Frequently asked questions

What is Process injection (T1055) in MITRE ATT&CK?

Process injection (T1055) is a defense evasion and privilege escalation technique where adversaries inject malicious code into legitimate running processes. The injected code executes under the host process's identity, inheriting its security context and evading process-level detection. Common methods include DLL injection, process hollowing, thread hijacking, and shellcode injection via CreateRemoteThread. Log360 maps 39+ correlation rules to T1055 targeting the system call patterns, cross-process access events, and behavioral anomalies that injection produces.

How does Log360 detect process injection without antivirus signatures?

Log360 detects process injection through behavioral indicators rather than file signatures: Sysmon Event ID 8 (CreateRemoteThread) catches the core injection API call; Sysmon Event ID 10 (ProcessAccess) catches the handle acquisition phase before injection; and network connection anomaly rules (like Network Connection Initiated Via Notepad.EXE) catch the execution phase when injected C2 code phones home. Since injected payloads are memory-resident, these behavioral rules remain effective even when no malicious file exists on disk.

What is the difference between process injection and process hollowing?

Process injection is the broad category of inserting malicious code into a running process's memory space. Process hollowing (T1055.012) is a specific variant where the attacker creates a new legitimate process in a suspended state, empties out its original executable image, and replaces it with malicious code before resuming execution. In standard injection, the original process code continues running alongside the injected code. In hollowing, the original executable is completely replaced. Log360 has dedicated detection rules for process hollowing artefacts, including the Potential Pikabot Hollowing Activity rule.

On this page
 
  • What is Process injection (T1055)?
  • How attackers use process injection
  • Sub-techniques and variants
  • Detection indicators
  • Log360 detection rules
  • Investigation steps
  • Response playbook
  • Frequently asked questions