T1055 — Process Injection

Technique

T1055

Tactics

Stealth, Privilege Escalation

MISP citations

0

KEV CVEs mapped

19

Community rules

35

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1055

MITRE description

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2025-31324
• CVE-2025-25257
• CVE-2025-25181
• CVE-2025-24993
• CVE-2025-22224
• CVE-2025-21480
• CVE-2025-21418
• CVE-2025-1316
• CVE-2025-0282
• CVE-2025-0108
• CVE-2024-6047
• CVE-2024-58136
• CVE-2024-56145
• CVE-2024-50603
• CVE-2024-40891
• CVE-2024-40890
• CVE-2023-6548
• CVE-2023-34192
• CVE-2020-29574

Detection coverage

SigmaHQ community rules

• Malware Shellcode in Verclsid Target Process (emerging-threats)
• Potential Dridex Activity (emerging-threats)
• Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection (emerging-threats)
• APT PRIVATELOG Image Load Pattern (emerging-threats)
• Injected Browser Process Spawning Rundll32 - GuLoader Activity (emerging-threats)
• Lummac Stealer Activity - Execution Of More.com And Vbc.exe (emerging-threats)
• RedSun - Named Pipe Created (emerging-threats)
• RedSun - TieringEngineService.exe Detected as EICAR Test File (emerging-threats)
• Remote Thread Created In Shell Application (threat-hunting)
• Potential Shellcode Injection (threat-hunting)
• Potential Executable Run Itself As Sacrificial Process (threat-hunting)
• Rare Remote Thread Creation By Uncommon Source Image (core)
• Remote Thread Creation By Uncommon Source Image (core)
• Created Files by Microsoft Sync Center (core)
• Potential DLL Sideloading Using Coregen.exe (core)
• DotNet CLR DLL Loaded By Scripting Applications (core)
• Network Connection Initiated Via Notepad.EXE (core)
• Microsoft Sync Center Suspicious Network Connections (core)
• CobaltStrike Named Pipe Pattern Regex (core)
• CobaltStrike Named Pipe Patterns (core)
• CobaltStrike Named Pipe (core)
• HackTool - CoercedPotato Named Pipe Creation (core)
• HackTool - EfsPotato Named Pipe Creation (core)
• Malicious Named Pipe Created (core)
• PowerShell ShellCode (core)

Showing 25 of 35 community rules — the full set is tagged attack.t1055 in SigmaHQ.

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.