MITRE ATT&CK Technique
Defense Evasion
T1055
Description
Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.
Supported Platforms
Linux
macOS
Windows
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-05-31T21:30:47.843Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may inject code into processes in order to evade '
'process-based defenses as well as possibly elevate '
'privileges. Process injection is a method of executing '
'arbitrary code in the address space of a separate live '
'process. Running code in the context of another process may '
"allow access to the process's memory, system/network "
'resources, and possibly elevated privileges. Execution via '
'process injection may also evade detection from security '
'products since the execution is masked under a legitimate '
'process. \n'
'\n'
'There are many different ways to inject code into a process, '
'many of which abuse legitimate functionalities. These '
'implementations exist for every major OS but are typically '
'platform specific. \n'
'\n'
'More sophisticated samples may perform multiple process '
'injections to segment modules and further evade detection, '
'utilizing named pipes or other inter-process communication '
'(IPC) mechanisms as a communication channel. ',
'external_references': [{'external_id': 'T1055',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1055'},
{'description': 'GNU. (2010, February 5). The GNU '
'Accounting Utilities. Retrieved '
'December 20, 2017.',
'source_name': 'GNU Acct',
'url': 'https://www.gnu.org/software/acct/'},
{'description': 'Hosseini, A. (2017, July 18). Ten '
'Process Injection Techniques: A '
'Technical Survey Of Common And '
'Trending Process Injection '
'Techniques. Retrieved December 7, '
'2017.',
'source_name': 'Elastic Process Injection July 2017',
'url': 'https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process'},
{'description': 'Jahoda, M. et al.. (2017, March 14). '
'redhat Security Guide - Chapter 7 - '
'System Auditing. Retrieved December '
'20, 2017.',
'source_name': 'RHEL auditd',
'url': 'https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing'},
{'description': 'Ligh, M.H. et al.. (2014, July). The '
'Art of Memory Forensics: Detecting '
'Malware and Threats in Windows, '
'Linux, and Mac Memory. Retrieved '
'December 20, 2017.',
'source_name': 'ArtOfMemoryForensics'},
{'description': 'Russinovich, M. & Garnier, T. (2017, '
'May 22). Sysmon v6.20. Retrieved '
'December 13, 2017.',
'source_name': 'Microsoft Sysmon v6 May 2017',
'url': 'https://docs.microsoft.com/sysinternals/downloads/sysmon'},
{'description': 'stderr. (2014, February 14). '
'Detecting Userland Preload Rootkits. '
'Retrieved December 20, 2017.',
'source_name': 'Chokepoint preload rootkits',
'url': 'http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html'}],
'id': 'attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'}],
'modified': '2025-10-24T17:48:43.053Z',
'name': 'Process Injection',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Anastasios Pingios',
'Christiaan Beek, @ChristiaanBeek',
'Ryan Becwar'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],
'x_mitre_version': '1.4'}