TIARAS - T1055.003: Thread Execution Hijacking

MITRE ATT&CK Technique

Defense Evasion T1055.003

Description

Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process. Thread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced with malicious code or the path to a DLL. A handle to an existing victim process is first created with native Windows API calls such as <code>OpenThread</code>. At this point the process can be suspended then written to, realigned to the injected code, and resumed via <code>SuspendThread </code>, <code>VirtualAllocEx</code>, <code>WriteProcessMemory</code>, <code>SetThreadContext</code>, then <code>ResumeThread</code> respectively.(Citation: Elastic Process Injection July 2017) This is very similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012) but targets an existing process rather than creating a process in a suspended state. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via Thread Execution Hijacking may also evade detection from security products since the execution is masked under a legitimate process.

Supported Platforms

Windows

Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data

{'created': '2020-01-14T01:28:32.166Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may inject malicious code into hijacked processes '
                'in order to evade process-based defenses as well as possibly '
                'elevate privileges. Thread Execution Hijacking is a method of '
                'executing arbitrary code in the address space of a separate '
                'live process. \n'
                '\n'
                'Thread Execution Hijacking is commonly performed by '
                'suspending an existing process then unmapping/hollowing its '
                'memory, which can then be replaced with malicious code or the '
                'path to a DLL. A handle to an existing victim process is '
                'first created with native Windows API calls such as '
                '<code>OpenThread</code>. At this point the process can be '
                'suspended then written to, realigned to the injected code, '
                'and resumed via <code>SuspendThread </code>, '
                '<code>VirtualAllocEx</code>, <code>WriteProcessMemory</code>, '
                '<code>SetThreadContext</code>, then <code>ResumeThread</code> '
                'respectively.(Citation: Elastic Process Injection July 2017)\n'
                '\n'
                'This is very similar to [Process '
                'Hollowing](https://attack.mitre.org/techniques/T1055/012) but '
                'targets an existing process rather than creating a process in '
                'a suspended state.  \n'
                '\n'
                'Running code in the context of another process may allow '
                "access to the process's memory, system/network resources, and "
                'possibly elevated privileges. Execution via Thread Execution '
                'Hijacking may also evade detection from security products '
                'since the execution is masked under a legitimate process. ',
 'external_references': [{'external_id': 'T1055.003',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1055/003'},
                         {'description': 'Hosseini, A. (2017, July 18). Ten '
                                         'Process Injection Techniques: A '
                                         'Technical Survey Of Common And '
                                         'Trending Process Injection '
                                         'Techniques. Retrieved December 7, '
                                         '2017.',
                          'source_name': 'Elastic Process Injection July 2017',
                          'url': 'https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process'}],
 'id': 'attack-pattern--41d9846c-f6af-4302-a654-24bba2729bc6',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'defense-evasion'},
                       {'kill_chain_name': 'mitre-attack',
                        'phase_name': 'privilege-escalation'}],
 'modified': '2025-10-24T17:48:42.433Z',
 'name': 'Thread Execution Hijacking',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Windows'],
 'x_mitre_version': '1.2'}

Quick Actions

Edit TTP Update from Web

Related Threat Actors (1)

rhysida
High

Back to TTPs

Dashboard About