Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.
PE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such asVirtualAllocEx andWriteProcessMemory, then invoked withCreateRemoteThread or additional code (ex: shellcode). The displacement of the injected code does introduce the additional requirement for functionality to remap memory references.[1]
Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via PE injection may also evade detection from security products since the execution is masked under a legitimate process.
| ID | Name | Description |
|---|---|---|
| C0057 | 3CX Supply Chain Attack | During the3CX Supply Chain Attack,AppleJeus uses the SigFlip tool to inject arbitrary code without affecting or breaking the file's signature.[2][3] |
| S1063 | Brute Ratel C4 | Brute Ratel C4 has injectedLatrodectus into the Explorer.exe process on comrpomised hosts.[4] |
| S0030 | Carbanak | Carbanak downloads an executable and injects it directly into a new process.[5] |
| S1158 | DUSTPAN | DUSTPAN can inject its decrypted payload into another process.[6] |
| S1138 | Gootloader | Gootloader can use its own PE loader to execute payloads in memory.[7] |
| G0078 | Gorgon Group | Gorgon Group malware can download a remote access tool,ShiftyBug, and inject into another process.[8] |
| S0342 | GreyEnergy | GreyEnergy has a module to inject a PE binary into a remote process.[9] |
| S1229 | Havoc | Havoc has itself injected into |
| S0260 | InvisiMole | InvisiMole can inject its backdoor as a portable executable into a target process.[11] |
| S0681 | Lizar | Lizar can execute PE files in the address space of the specified process.[12] |
| S1145 | Pikabot | Pikabot, following payload decryption, creates a process hard-coded into the dropped (e.g., WerFault.exe) and injects the decrypted core modules into it.[13] |
| G0106 | Rocke | Rocke's miner, "TermsHost.exe", evaded defenses by injecting itself into Windows processes, including Notepad.exe.[14] |
| S0330 | Zeus Panda | Zeus Panda checks processes on the system and if they meet the necessary requirements, it injects into that process.[15] |
| ID | Mitigation | Description |
|---|---|---|
| M1040 | Behavior Prevention on Endpoint | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0106 | Behavioral Detection of PE Injection via Remote Memory Mapping | AN0297 | Detects PE injection through a behavioral sequence where one process opens (OpenProcess) a handle to another, allocates remote memory (VirtualAllocEx), writes a PE header (MZ) or shellcode (WriteProcessMemory), then initiates a new thread (CreateRemoteThread or NtCreateThreadEx) in that process—executing injected code in memory without touching disk. Optional: injects a trampoline or shellcode that unpacks/reflectively maps the payload. |