Process Injection Techniques: Living in Memory

Process injection is one of the most prevalent techniques I encounter during penetration testing engagements, and it remains a cornerstone of advanced threat actor tradecraft. At its core, process injection allows malicious code to execute within the address space of a legitimate process, effectively hiding behind the reputation and trust of that process. For defenders, understanding these techniques is essential because detecting process injection is one of the most impactful ways to catch sophisticated adversaries early in their attack chain. This post maps to MITRE ATT&CK technique T1055 (Process Injection) and its numerous sub-techniques.

Why Attackers Use Process Injection

Before diving into specific techniques, it is important to understand the defensive advantages that process injection gives attackers, because this understanding directly informs where defenders should focus their monitoring efforts. When code runs inside a trusted process like svchost.exe or explorer.exe, process-based allow lists and application control policies are effectively bypassed. Network connections from injected processes appear to originate from the legitimate host process, making network-based detection more difficult. Additionally, if the host process is terminated, the malicious code stops with it, reducing forensic artifacts. Defenders who understand these motivations can build detection strategies that look beyond surface-level process information.

Classic Techniques

These well-established injection methods have been documented for years, and robust EDR solutions should detect them reliably. Their continued presence in the wild often indicates commodity malware or less sophisticated actors.

• CreateRemoteThread injection - The attacker allocates memory in a target process using VirtualAllocEx, writes shellcode using WriteProcessMemory, and creates a new thread to execute it via CreateRemoteThread. This is the most basic form of injection and produces a very recognizable API call pattern. Defenders should alert on any cross-process memory allocation followed by thread creation, particularly when the source process is not a known system debugger or management tool.
• DLL Injection - The attacker forces a target process to load a malicious DLL by writing the DLL path into the target process memory and creating a remote thread that calls LoadLibrary. This technique leaves clear artifacts in the list of loaded modules. Defenders can detect it by monitoring for unexpected DLL loads and by watching for remote thread creation that targets kernel32.dll LoadLibrary functions.
• APC Injection - Asynchronous Procedure Calls allow code to be queued for execution in the context of a specific thread. Attackers use QueueUserAPC to schedule their code for execution when the target thread enters an alertable wait state. Defenders should monitor for cross-process APC queuing, which can be observed through ETW providers and EDR telemetry.

Modern Techniques

More advanced injection techniques have been developed to evade the behavioral detections built around classic methods. These require more sophisticated monitoring to detect reliably.

• Process Hollowing (T1055.012) - The attacker creates a legitimate process in a suspended state, unmaps its original executable image from memory, and replaces it with malicious code before resuming execution. The resulting process appears legitimate from the outside but executes entirely different code. Defenders can detect this by comparing the in-memory image of a process against its on-disk executable, a technique sometimes called process image verification.
• Process Doppelganging - This technique abuses NTFS file transactions to create a process from a transacted file that is never actually committed to disk. The process appears backed by a legitimate file, but the actual code in memory is malicious. Detection requires monitoring for unusual use of NTFS transaction APIs such as NtCreateTransaction and NtRollbackTransaction in the context of process creation.
• Early Bird injection - The attacker creates a process in a suspended state, queues an APC to the main thread before the process entry point executes, and then resumes the process. The malicious code runs before any EDR hooks are placed in the process. Defenders should monitor for the specific pattern of process creation in suspended state followed immediately by APC queuing.
• Mockingjay - This technique identifies legitimate DLLs that contain RWX (read-write-execute) memory sections and uses those sections to host malicious code without needing to allocate new executable memory. Because no suspicious memory allocation occurs, many EDR behavioral rules are bypassed. Defenders should audit their systems for DLLs with RWX sections and monitor for unexpected code execution from those regions.

Detection Indicators and Monitoring

Detecting process injection requires a multi-layered monitoring approach. No single indicator is definitive, but combinations of the following signals provide high-confidence alerts.

• Cross-process memory operations - Monitor for VirtualAllocEx and WriteProcessMemory calls where the source and target processes differ. Sysmon Event ID 8 (CreateRemoteThread) and Event ID 10 (ProcessAccess) with specific access masks for memory writing are essential data sources. Any process that opens another process with PROCESS_VM_WRITE and PROCESS_VM_OPERATION permissions without a legitimate reason should be investigated.
• Unusual thread creation - New threads in a process that do not originate from known loaded modules are a strong indicator of injection. Thread start addresses that point to unbacked memory regions are particularly suspicious.
• Memory allocation patterns - Watch for memory regions that are allocated with executable permissions, especially RWX regions, in processes that do not normally require them. EDR products and tools like Volatility can enumerate process memory maps to identify anomalous regions.
• Suspicious API sequences - The combination of OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread in sequence is a textbook injection pattern. More advanced detections should look for variations using NtCreateThreadEx, NtMapViewOfSection, and other native API equivalents that attackers use to avoid user-mode hooks.

Detection and Defense Best Practices

Based on my experience testing detection capabilities across many organizations, here are the most effective defensive measures against process injection.

• Deploy Sysmon with comprehensive configuration - Ensure Sysmon is configured to log process creation (Event ID 1), process access (Event ID 10), and create remote thread events (Event ID 8). The SwiftOnSecurity Sysmon configuration is a strong starting point that covers injection-related telemetry.
• Enable Windows Defender Credential Guard - This prevents certain injection techniques that target LSASS by running it in a virtualization-based security enclave, making credential theft through injection significantly harder.
• Implement memory integrity scanning - Use your EDR or supplementary tools to periodically scan process memory for unbacked executable code. Any executable memory region that is not backed by a file on disk is suspicious and warrants investigation.
• Monitor for process creation anomalies - Process hollowing and doppelganging create processes in suspended states. Track processes created with the CREATE_SUSPENDED flag and correlate with subsequent memory operations before resumption.
• Build detection around known attack tool patterns - Many injection frameworks follow predictable patterns. Create detection rules that identify the specific sequences used by popular tools, while also building broader behavioral detections that catch novel approaches.

Testing and Validation

Testing injection detection is critical for validating your defensive coverage. During purple team exercises, I work with blue teams to systematically test each injection technique against their detection stack. The goal is not to find ways around detection but to ensure that the organization can reliably identify injection attempts when they occur. Organizations that regularly test their injection detection capabilities are significantly better prepared to detect real-world threats that rely on these fundamental techniques. Every detection gap identified during testing is an opportunity to improve security before a real adversary exploits it.