Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.
PE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread or additional code (ex: shellcode). The displacement of the injected code does introduce the additional requirement for functionality to remap memory references. [1]
Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via PE injection may also evade detection from security products since the execution is masked under a legitimate process.
| ID | Name | Description |
|---|---|---|
| C0057 | 3CX Supply Chain Attack |
During the 3CX Supply Chain Attack, AppleJeus uses the SigFlip tool to inject arbitrary code without affecting or breaking the file's signature.[2][3] |
| S1063 | Brute Ratel C4 |
Brute Ratel C4 has injected Latrodectus into the Explorer.exe process on comrpomised hosts.[4] |
| S0030 | Carbanak |
Carbanak downloads an executable and injects it directly into a new process.[5] |
| S1158 | DUSTPAN |
DUSTPAN can inject its decrypted payload into another process.[6] |
| S1138 | Gootloader |
Gootloader can use its own PE loader to execute payloads in memory.[7] |
| G0078 | Gorgon Group |
Gorgon Group malware can download a remote access tool, ShiftyBug, and inject into another process.[8] |
| S0342 | GreyEnergy |
GreyEnergy has a module to inject a PE binary into a remote process.[9] |
| S1229 | Havoc |
Havoc has itself injected into |
| S0260 | InvisiMole |
InvisiMole can inject its backdoor as a portable executable into a target process.[11] |
| S0681 | Lizar |
Lizar can execute PE files in the address space of the specified process.[12] |
| S1145 | Pikabot |
Pikabot, following payload decryption, creates a process hard-coded into the dropped (e.g., WerFault.exe) and injects the decrypted core modules into it.[13] |
| G0106 | Rocke |
Rocke's miner, "TermsHost.exe", evaded defenses by injecting itself into Windows processes, including Notepad.exe.[14] |
| S0330 | Zeus Panda |
Zeus Panda checks processes on the system and if they meet the necessary requirements, it injects into that process.[15] |
| ID | Mitigation | Description |
|---|---|---|
| M1040 | Behavior Prevention on Endpoint |
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0106 | Behavioral Detection of PE Injection via Remote Memory Mapping | AN0297 |
Detects PE injection through a behavioral sequence where one process opens (OpenProcess) a handle to another, allocates remote memory (VirtualAllocEx), writes a PE header (MZ) or shellcode (WriteProcessMemory), then initiates a new thread (CreateRemoteThread or NtCreateThreadEx) in that process—executing injected code in memory without touching disk. Optional: injects a trampoline or shellcode that unpacks/reflectively maps the payload. |