Process Injection
What is Process Injection?
Process InjectionA family of evasion techniques in which an attacker runs malicious code inside the address space of a legitimate process to inherit its trust and identity.
Process injection covers any method that places attacker-controlled code into the memory of another process and causes that process to execute it, so the activity appears to originate from a signed or expected program. Common variants include DLL injection, reflective DLL loading, process hollowing, APC queue injection, thread execution hijacking, and AtomBombing. The goals are typically defense evasion, persistence, privilege escalation, and credential access (for example reading LSASS memory). MITRE ATT&CK groups these as T1055 with sub-techniques. Detection relies on EDR cross-process and memory-write telemetry, kernel callbacks, Sysmon events 8/10, behavioural baselining of parent-child process trees, and protections such as Credential Guard and Code Integrity.
● Examples
- 01
Process hollowing: starting notepad.exe suspended, unmapping its image, writing in a malicious payload, and resuming it.
- 02
APC injection from a beacon into explorer.exe to survive without dropping new files.
● Frequently asked questions
What is Process Injection?
A family of evasion techniques in which an attacker runs malicious code inside the address space of a legitimate process to inherit its trust and identity. It belongs to the Attacks & Threats category of cybersecurity.
What does Process Injection mean?
A family of evasion techniques in which an attacker runs malicious code inside the address space of a legitimate process to inherit its trust and identity.
How does Process Injection work?
Process injection covers any method that places attacker-controlled code into the memory of another process and causes that process to execute it, so the activity appears to originate from a signed or expected program. Common variants include DLL injection, reflective DLL loading, process hollowing, APC queue injection, thread execution hijacking, and AtomBombing. The goals are typically defense evasion, persistence, privilege escalation, and credential access (for example reading LSASS memory). MITRE ATT&CK groups these as T1055 with sub-techniques. Detection relies on EDR cross-process and memory-write telemetry, kernel callbacks, Sysmon events 8/10, behavioural baselining of parent-child process trees, and protections such as Credential Guard and Code Integrity.
How do you defend against Process Injection?
Defences for Process Injection typically combine technical controls and operational practices, as detailed in the full definition above.
● Related terms
- attacks№ 332
DLL Injection
A code-injection technique that forces a target Windows process to load and execute an attacker-supplied dynamic-link library.
- malware№ 417
Fileless Malware
Malware that runs primarily in memory and leverages trusted system tools, avoiding the use of traditional executable files on disk.
- defense-ops№ 298
Defense Evasion
The MITRE ATT&CK tactic (TA0005) covering techniques attackers use to avoid detection, disable security tools, and hide their activity on a target system.
- malware№ 649
Malware
Any software intentionally designed to disrupt, damage, or gain unauthorized access to computers, networks, or data.
- defense-ops№ 371
EDR (Endpoint Detection and Response)
An endpoint security technology that continuously records process, file, registry and network activity to detect, investigate and respond to threats on hosts.
- defense-ops№ 682
Mimikatz
An open-source Windows post-exploitation tool that extracts plaintext passwords, hashes, Kerberos tickets, and other credentials from memory and LSASS.
● See also
- № 1124Sysmon
- № 964Sandbox Escape
- № 331DLL Hijacking
- № 610LD_PRELOAD Hijacking