T1055 in the MITRE ATT&CK framework highlights one of the most commonly used techniques by threat actors to evade detection and execute malicious payloads: process injection. By injecting code into the memory space of legitimate processes, attackers can disguise their activities, bypass security controls, and maintain persistence on compromised systems.

This article draws from the Picus 10 Critical MITRE ATT&CK Techniques report, this report highlights the 10 most common MITRE ATT&CK techniques used by cyber threat actors, based on analysis of over 1 million malware samples throughout 2024.

Report Keypoints:

1. 93% of malicious actions were carried out using the top 10 ATT&CK techniques.
2. Credential-stealing malware surged from 8% (2023) to 25% (2024).
3. Malware is more complex, averaging 14 malicious actions and 12 ATT&CK techniques per sample.
4. Evasion and persistence techniques like process injection and autostart execution are increasingly used.
5. Encrypted communication (HTTPS, DoH) is now standard for hiding malicious traffic.

MITRE ATT&CK T1055 Process Injection

Process injection is a powerful and widely used technique that allows adversaries to execute malicious code within the address space of a legitimate process. By injecting code into trusted processes; attackers can evade detection, escalate privileges, and maintain persistence on a compromised system. With process injection, malicious payloads can be run under the guise of legitimate applications, making it significantly harder for security tools to detect suspicious activity.

Process injection provides two significant benefits for adversaries:

1. Privilege Escalation

If the target process has elevated privileges, the injected code will also have access to those privileges, allowing the adversary to gain greater control over the system and potentially escalate their privileges even further. For instance, if a target process has access to network resources, then the malicious code encapsulated within this process may allow an adversary to communicate over the Internet or with other computers on the same network. This privilege can enable the adversary to carry out various malicious activities, such as downloading next-stage payloads or tools, exfiltrating sensitive data, spreading malware to other systems, or launching attacks against the network.

2. Defense Evasion

Adversaries evade security controls designed to detect and block known threats by executing their malicious code under the privileges of a legitimate process. As the malicious code is hidden within the legitimate process, which is typically allow-listed, the target process acts as a camouflage for the malicious code, allowing the malicious code to evade detection and run without being noticed. Since the code is typically run directly in the memory of the legitimate process, it is difficult for disk forensics tools to detect the code, as it is not written to the disk.

Read More about T1055 Process Injection

Threat Research references that discuss T1055 Process Injection

A Deep Dive into XWorm Malware

Process Injection is demonstrated through a shellcode component labeled “Stager,” which targets specific processes — Taskmgr, explorer, and svchost — for injection. Once injected, the shellcode loads a decrypted DLL module that implements stealth mechanisms by hooking several Windows APIs. These hooks are designed to conceal both a malicious process and a named pipe, each labeled “phantom,” effectively evading detection and reinforcing persistence within the compromised system.

RENDERSHOCK: Weaponizing Trust in File Rendering Pipelines

Process Injection (via PowerShell) is used to stealthily execute reverse shells by injecting malicious code into legitimate processes. This is typically triggered during passive file interactions — such as previewing .lnk files or Office documents—where encoded PowerShell commands are executed silently. The injected code runs within trusted system processes, allowing attackers to establish covert command-and-control channels without user interaction or visible execution.

Fix the Click: Preventing the ClickFix Attack Vector

Attackers inject malicious code into a legitimate process — in this case, jp2launcher.exe, a Java Runtime component. The injected code is decrypted from previously downloaded payloads and executed within the trusted process, allowing the malware (NetSupport RAT) to run stealthily. This method helps evade detection by security tools, as the malicious activity appears to originate from a legitimate application. The injection is part of a broader ClickFix campaign that uses social engineering and clipboard hijacking to initiate the infection chain.

Technical Analysis of Ducex: Packer of Triada Android Malware

Process Injection is demonstrated through the use of ptrace with PTRACE_ATTACH, where the malware (Ducex packer) creates a child process that attaches to its parent process. This self-debugging mechanism prevents external debuggers from attaching, as only one tracer can be active per process. This is a sophisticated anti-analysis technique that leverages process injection to maintain control and evade detection, aligning with T1055’s sub-techniques like Thread Execution Hijacking or Ptrace Injection.

More Steganography! — SANS Internet Storm Center

In this case, the attacker uses a multi-stage infection chain involving an Excel document, HTA script, BAT and VBS scripts, and PowerShell to ultimately download a steganographically embedded DLL payload from an image file. This DLL is then loaded and executed in memory, which aligns with MITRE ATT&CK T1055 (Process Injection). The technique allows the attacker to inject malicious code into the memory space of another process, helping evade detection by traditional security tools and enabling stealthy execution of the final payload (a credential stealer).

Taking SHELLTER: a commercial evasion framework abused in-the-wild

Process Injection is observed through the use of SHELLTER’s advanced evasion capabilities. Specifically, SHELLTER-protected malware employs thread execution hijacking by injecting polymorphic shellcode into legitimate processes. This allows the malicious payload to execute within the context of trusted applications, effectively bypassing security mechanisms and evading detection. The injected code is often encrypted and obfuscated, further complicating analysis and enabling stealthy post-exploitation activities.

@mentalpositive’s New macOS Stealer: AMOS Repackaged or a New Cyber Threat?

In this case, the malware uses process hollowing, a sub-technique of MITRE T1055, to evade detection. By forking itself and detaching from the terminal and session manager, it effectively becomes a background daemon. This allows it to operate stealthily, bypassing interactive debugging tools and sandbox environments. The goal is to maintain persistence and avoid analysis, which is a hallmark of process injection techniques used by advanced malware.