T1055Process Injection
T1055 — Process Injection is a MITRE ATT&CK technique in the Defense Evasion tactic. Clankerusecase tracks 34 detection use cases covering it and 8 threat-intel articles citing it.
Defense EvasionPrivilege Escalation
34Use cases
8Articles
12Sub-techniques
2Tactics
Sub-techniques (12)
T1055.004 · Asynchronous Procedure CallT1055.001 · Dynamic-link Library InjectionT1055.011 · Extra Window Memory InjectionT1055.015 · ListPlantingT1055.002 · Portable Executable InjectionT1055.009 · Proc MemoryT1055.013 · Process DoppelgängingT1055.012 · Process HollowingT1055.008 · Ptrace System CallsT1055.003 · Thread Execution HijackingT1055.005 · Thread Local StorageT1055.014 · VDSO Hijacking
Use cases covering this technique (34)
Cisco NVM - Non-Network Binary Making Network Connection Cisco NVM - Suspicious Network Connection From Process With No Args Create Remote Thread In Shell Application DLLHost with no Command Line Arguments with Network GPUpdate with no Command Line Arguments with Network Notepad with no Command Line Arguments Powershell Fileless Process Injection via GetProcAddress Powershell Remote Thread To Known Windows Process Rundll32 Create Remote Thread To A Process Rundll32 CreateRemoteThread In Browser SearchProtocolHost with no Command Line with Network Suspicious DLLHost no Command Line Arguments Suspicious GPUpdate no Command Line Arguments Suspicious SearchProtocolHost no Command Line Arguments Trickbot Named Pipe Windows List ENV Variables Via SET Command From Uncommon Parent Windows Process Injection In Non-Service SearchIndexer Windows Process Injection Wermgr Child Process Windows Process With NamedPipe CommandLine Windows PUA Named Pipe Windows Remote Assistance Spawning Process Windows RMM Named Pipe Windows Suspicious C2 Named Pipe Windows Suspicious Named Pipe Winhlp32 Spawning a Process Wscript Or Cscript Suspicious Child Process Cisco Secure Firewall - Communication Over Suspicious Ports Cobalt Strike Named Pipes Windows Command Shell Fetch Env Variables [LLM] Talos weekly prevalent malware hash execution (Coinminer/Injector/Dropper.Miner) [LLM] OneDrive.Sync.Service.exe spawned/injected outside legitimate OneDrive chain (SPECTRALVIPER injection target) [LLM] csrss.exe or dwm.exe spawning child process (Win32K-GRFX kernel exploit marker) [LLM] Talos weekly top-prevalent malware hash watch (Coinminer / Injector / W32.Variant) [LLM] EDR-Freeze: WerFaultSecure.exe abused to suspend AV/EDR processes via MiniDumpWriteDump raceArticles citing this technique (8)
high A tale of two eras art-40