Threats

T1055

Process Injection (T1055)

A comprehensive guide to process injection techniques — DLL injection, PE injection, process hollowing, APC injection, thread execution hijacking — and how analysts detect each sub-technique across T1055.

View on Graph

What Process Injection Is and Why It Matters

  • Process injection is a defense evasion technique where an attacker runs malicious code inside the memory space of a trusted process (e.g., explorer.exe, svchost.exe, lsass.exe, notepad.exe).
  • Because the injected code runs within the context of the legitimate process, it inherits that process’s permissions, network access, and trust level. A firewall rule that allows svchost.exe to reach the internet also allows injected code inside svchost.exe to reach the internet.
  • Process injection is MITRE ATT&CK T1055 with 13 sub-techniques. This article covers the most common ones: DLL injection (T1055.001), PE injection (T1055.002), thread execution hijacking (T1055.003), process hollowing (T1055.012), and APC injection (T1055.004).
  • Process injection is the standard technique for: credential dumping tools (Mimikatz injecting into lsass.exe), C2 frameworks (Cobalt Strike’s execute-assembly, shinject), and info stealers running inside browser processes.

DLL Injection (T1055.001)

The attacker writes the path to a malicious DLL into the target process’s address space, then forces the process to load it.

How It Works

StepAPI CallWhat Happens
1OpenProcess(PROCESS_ALL_ACCESS, FALSE, targetPID)Opens a handle to the target process with full access
2VirtualAllocEx(hProcess, NULL, dllPathSize, MEM_COMMIT, PAGE_READWRITE)Allocates memory in the target process
3WriteProcessMemory(hProcess, remoteAddr, dllPath, dllPathSize, NULL)Writes the DLL path to the allocated memory
4CreateRemoteThread(hProcess, NULL, 0, LoadLibraryAddr, remoteAddr, 0, NULL)Creates a thread in the target process that starts at LoadLibraryA with the DLL path as argument

Detection Signals

SignalWhat to Look ForSysmon Event ID
CreateRemoteThreadProcess A creating a thread in Process B — especially if A is a suspicious process (e.g., wmiprvse.exe, rundll32.exe, or a document reader)Sysmon Event ID 8
Unexpected DLL loadA process loading a DLL from a user-writable path (AppData, Temp, Downloads)Sysmon Event ID 7
LoadLibrary call patternLoadLibraryA or LoadLibraryW called with unusual argumentsEDR API monitoring
Target process privilegeIf the target is lsass.exe, the attacker is hunting credentialsSysmon Event ID 10 (ProcessAccess to lsass)

SPL query — detect CreateRemoteThread (Sysmon Event ID 8):

index=windows sourcetype="WinEventLog:Sysmon" EventCode=8
| eval source_process = SourceProcessGuid
| eval target_process = TargetProcessGuid
| where SourceImage NOT IN ("C:\\Program Files\\*", "C:\\Windows\\System32\\svchost.exe")
| eval alert = "CreateRemoteThread from " . SourceImage . " to " . TargetImage
| table _time, Computer, SourceImage, TargetImage, alert

PE Injection (T1055.002)

Instead of making the target process load a DLL on disk, the attacker writes the entire Portable Executable (EXE or DLL) into the target’s memory directly.

How It Works

StepAPI CallWhat Happens
1OpenProcess + VirtualAllocExOpens target process, allocates memory
2WriteProcessMemoryWrites the full PE binary into target memory
3VirtualProtectEx(hProcess, remoteAddr, peSize, PAGE_EXECUTE_READWRITE, &oldProtect)Changes memory protection to executable
4CreateRemoteThread(hProcess, NULL, 0, entryPoint, NULL, 0, NULL)Executes the injected PE from its entry point

Detection Signals

SignalWhat to Look For
Memory protection change to PAGE_EXECUTE_READWRITEA memory region that was PAGE_READWRITE (data) is changed to PAGE_EXECUTE_READWRITE (code) without a corresponding file mapping
DLL loaded with no on-disk fileThe injected DLL has no corresponding .dll file on disk — it only exists in memory
Modified memory in suspicious regionsEDRs detect anonymous memory regions (not backed by a file on disk, not heap, not stack) that contain code

Process Hollowing (T1055.012)

The attacker starts a legitimate process in a suspended state, replaces its code, then resumes it. The process appears legitimate to users and tools, but its code is malicious.

How It Works

StepAPI CallWhat Happens
1CreateProcess(suspended)Starts a legitimate process (svchost.exe, notepad.exe, rundll32.exe) in CREATE_SUSPENDED state
2NtUnmapViewOfSection(hProcess, originalImageBase)Unmaps the original executable code from the process
3VirtualAllocEx(hProcess, desiredBase, maliciousImageSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE)Allocates new memory at the preferred base address
4WriteProcessMemory(hProcess, baseAddr, maliciousImage, maliciousImageSize, NULL)Writes malicious PE into the hollowed process
5SetThreadContext(hThread, &context)Points the thread entry point to the malicious code
6ResumeThread(hThread)Resumes the process — it now runs the attacker’s code under the legitimate process name

Detection Signals

SignalWhat to Look ForSysmon Event ID
Process in suspended stateCreateProcess with CREATE_SUSPENDED flag — very rare for legitimate softwareEDR — process creation flags
Thread start address != process entry pointThe main thread starts at an address that does not match any of the process’s known exportsSysmon Event ID 1 — check Image vs ParentImage
Process memory layout anomalyNo executable section mapped at the process’s preferred base addressMemory forensics with Volatility (malfind, ldrmodules)
Process hollowing from a parent that should not create processeswmiprvse.exe spawning rundll32.exe suspended, or WINWORD.EXE spawning notepad.exeSysmon Event ID 1 — parent-child relationship

SPL query — detect suspended process creation:

index=windows sourcetype="WinEventLog:Sysmon" EventCode=1
| search CommandLine="*suspended*" OR CommandLine="*-CREATE_SUSPENDED*" OR CommandLine="*suspended*" ParentCommandLine="*"
| eval alert = "SUSPENDED PROCESS — " . Image . " launched with create_suspended flag — possible hollowing"
| table _time, Computer, Image, CommandLine, ParentImage, alert

APC Injection (T1055.004)

Asynchronous Procedure Calls (APCs) are a Windows mechanism for executing code in the context of a specific thread. Attackers queue malicious APCs to threads in target processes.

How It Works

StepAPI CallWhat Happens
1OpenThreadOpens a handle to a thread in the target process
2VirtualAllocEx + WriteProcessMemoryWrites shellcode to the target process memory
3QueueUserAPC(shellcodeAddr, hThread, NULL)Queues an APC that points to the shellcode. The next time the thread enters an alertable state (WaitForSingleObjectEx, SleepEx, MsgWaitForMultipleObjectsEx), the APC fires and executes the shellcode

Detection Signals

SignalWhat to Look For
APC queue notificationsEDR sensors that monitor QueueUserAPC calls (not all do — this is a blind spot for many tools)
Suspicious thread execution startA thread starting from an unexpected address without a corresponding process creation event
Alertable wait detectionProcesses entering alertable wait states more frequently than expected

Thread Execution Hijacking (T1055.003)

Instead of creating a new thread, the attacker takes control of an existing thread in the target process.

How It Works

StepAPI CallWhat Happens
1OpenThread(targetThread)Opens a handle to a running thread
2SuspendThread(hThread)Suspends the thread’s execution
3GetThreadContext(hThread, &context)Saves the current thread context (registers, instruction pointer)
4SetThreadContext(hThread, &contextWithModifiedEIP)Changes the instruction pointer to shellcode address
5ResumeThread(hThread)Resumes the thread — it now executes the shellcode

Detection Signals

SignalWhat to Look For
SuspendThread + SetThreadContext in quick successionVery unusual in normal operations — nearly always malicious
Thread resuming from an unexpected addressEDR or Sysmon may detect the thread origin after resume
GetThreadContext on a thread the caller does not ownLegitimate process rarely queries another process’s thread context

Reference Table — All T1055 Sub-Techniques

Sub-TechniqueIDInjection MethodFiles on Disk?Detection Difficulty
DLL InjectionT1055.001CreateRemoteThread + LoadLibraryYes (DLL on disk)Medium — also exploitable via API attacks
PE InjectionT1055.002Manual PE mapping in memoryNoHard
Thread Execution HijackingT1055.003SetThreadContext on existing threadYes (shellcode injected first)Very Hard
APC InjectionT1055.004QueueUserAPC to alertable threadYes (shellcode)Very Hard (many EDRs miss it)
Thread Local Storage (TLS) CallbackT1055.005TLS callbacks in PEYes (DLL with modified TLS)Hard
Ptrace System CallsT1055.008Linux ptrace to inject into processesDependsLinux-only — relevant in container environments
Proc MemoryT1055.009/proc/[pid]/mem writes on LinuxDependsLinux-only
Extra Window Memory InjectionT1055.011SetWindowLong to store shellcode in window memoryNoVery Hard
Process HollowingT1055.012Suspended process with unmapped/replaced memoryNo (process name is legitimate)Medium
Process DoppelgängingT1055.013NTFS transaction to replace process imageNo (TxF, no on-disk image)Hard — can be used in insider threat scenarios

General Detection Strategy

Detection LayerToolWhat to Look For
Process creationSysmon Event ID 1, Windows 4688Unusual parent-child relationships (e.g., WINWORD.EXEpowershell.exe)
Cross-process accessSysmon Event ID 8 (CreateRemoteThread), Event ID 10 (ProcessAccess)A process opening a handle with PROCESS_ALL_ACCESS or PROCESS_VM_WRITE to another process
Memory modificationEDR memory scanning, Volatility malfindMemory regions with PAGE_EXECUTE_READWRITE that are not backed by a file
DLL loadingSysmon Event ID 7DLLs loaded from user-writable paths, unsigned DLLs loaded by signed processes
Thread anomaliesEDR thread monitoringThreads starting at unexpected addresses, thread suspension/resume patterns

Sources