MITRE ATT&CK Technique
Description
Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process. PE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as <code>VirtualAllocEx</code> and <code>WriteProcessMemory</code>, then invoked with <code>CreateRemoteThread</code> or additional code (ex: shellcode). The displacement of the injected code does introduce the additional requirement for functionality to remap memory references. (Citation: Elastic Process Injection July 2017) Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via PE injection may also evade detection from security products since the execution is masked under a legitimate process.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-01-14T01:27:31.344Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may inject portable executables (PE) into '
'processes in order to evade process-based defenses as well as '
'possibly elevate privileges. PE injection is a method of '
'executing arbitrary code in the address space of a separate '
'live process. \n'
'\n'
'PE injection is commonly performed by copying code (perhaps '
'without a file on disk) into the virtual address space of the '
'target process before invoking it via a new thread. The write '
'can be performed with native Windows API calls such as '
'<code>VirtualAllocEx</code> and '
'<code>WriteProcessMemory</code>, then invoked with '
'<code>CreateRemoteThread</code> or additional code (ex: '
'shellcode). The displacement of the injected code does '
'introduce the additional requirement for functionality to '
'remap memory references. (Citation: Elastic Process Injection '
'July 2017) \n'
'\n'
'Running code in the context of another process may allow '
"access to the process's memory, system/network resources, and "
'possibly elevated privileges. Execution via PE injection may '
'also evade detection from security products since the '
'execution is masked under a legitimate process. ',
'external_references': [{'external_id': 'T1055.002',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1055/002'},
{'description': 'Hosseini, A. (2017, July 18). Ten '
'Process Injection Techniques: A '
'Technical Survey Of Common And '
'Trending Process Injection '
'Techniques. Retrieved December 7, '
'2017.',
'source_name': 'Elastic Process Injection July 2017',
'url': 'https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process'}],
'id': 'attack-pattern--806a49c4-970d-43f9-9acc-ac0ee11e6662',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'}],
'modified': '2025-10-24T17:49:01.839Z',
'name': 'Portable Executable Injection',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.2'}