The Most Used MITRE ATT&CK Technique: T1055 Process Injection

Our industry-leading Red Team in Picus Labs, meticulously analyzed 48,813 malware samples to understand and describe the tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files. After months of intense research, almost 500,000 TTPs have been mapped to ATT&CK to identify the top 10 most common techniques used by attackers.

Read the Picus Red Report that provides the research findings and practical resources, including:
- red and blue team exercises
- threat hunting and modeling
- threat intelligence

Our research has shown that the most prevalent MITRE ATT&CK technique used by adversaries in their malware was T1055 Process Injection. Adversaries emphasize an enhanced level of stealth, persistence, and privilege in their sophisticated cyber attacks. As a mechanism capable of providing these functions, it is not surprising that Process Injection is the most frequently used technique.

By listing the running procedures and filtering out legitimate ones that are part of the operating system or installed applications, it is simple to identify malware processes. However, if the malware is able to encapsulate its malicious code inside a legitimate process, it will hide on the infected system. In fact, process injection is a “old but gold” method consisting of running arbitrary code within another process’s address space. As a consequence, this technique allows access to the memory, device, and network resources of the target process.

The technique offers three major advantages for adversaries on this account:

• Under a legitimate method, executing code can evade security controls. Since the legitimate process is whitelisted, it camouflages the malicious code to avoid detection.
• Since the malicious code is executed within the memory space of the legitimate process, it can also evade disk forensics.
• If the target process has elevated privileges, this technique will enable privilege escalation. For example, if the target process has access to network resources, the malicious code can communicate legitimately over the Internet and with other computers on the same network.
• This technique will allow privilege escalation if the target process has elevated privileges. For instance, if the target process has access to network resources, the malicious code will legitimately communicate with other computers on the same network and over the Internet.

Targeted Processes

Since custom processes quickly detected by security controls, threat actors use common Windows processes such as:

• Built-in native Windows processes: AppLaunch.exe, arp.exe, cmd.exe, csc.exe, cvtres.exe, dllhost.exe, explorer.exe, msbuild.exe, PowerShell.exe, RegAsm.exe, RegSvcs.exe, regsvr32.exe, rundll32.exe, services.exe, svchost.exe, vbc.exe,
• Common software processes: chrome.exe, firefox.exe, ieuser.exe, iexplore.exe, msinm.exe, opera.exe, and outlook.exe.

Sub-techniques of the Process Injection Technique

There are 14 sub-techniques of Process Injection:

• T1055.001 Dynamic-link Library Injection
• T1055.002 Portable Executable Injection
• T1055.003 Thread Execution Hijacking
• T1055.004 Asynchronous Procedure Call
• T1055.005 Thread Local Storage
• T1055.008 Ptrace System Calls
• T1055.009 Proc Memory
• T1055.011 Extra Window Memory Injection
• T1055.012 Process Hollowing
• T1055.013 Process Doppelgänging
• T1055.014 VDSO Hijacking

Read our blog for a more in-depth look at the MITRE ATT&CK T1055 Process Injection technique.

Read the Picus Red Report for the most used MITRE ATT&CK techniques by adversaries.