Disclaimer: At DataYard, we believe it’s important to understand the methods an attacker might use to gain access to your system, so that we know what to look out for and be better prepared to defend against it. This article discusses common techniques attackers may use to maintain access to compromised systems. These behaviors are presented strictly for educational and defensive awareness purposes only. These are things you should watch out for!

What is Process Injection?

In essence, process injection involves:

Inserting a block of code (shellcode) into the memory space of a given process — bypassing traditional file-based detection mechanisms.

Instead of executing malicious code directly (which could more easily be caught on disk by antivirus or EDR), the code is embedded into a trusted process in an attempt to hide in plain sight.

Why Attackers Use Process Injection

Bad actors may leverage process injection in order to gain several advantages (MITRE ATT&CK, n.d.):

• Stealth: Code may run under the context of a trusted process.
• Evasion: Leverages Application Whitelisting to avoid the need for malware existing on disk.
• Access: Inherits privileges and tokens of the target process.

Common Process Injection Techniques

There are a variety of types of injection, including (but not limited to) those documented in the MITRE ATT&CK framework (MITRE ATT&CK, n.d.):

Process Inject Workflow

The following steps outline a common process injection workflow using Windows API functions (Microsoft Learn, n.d.-a, n.d.-b):

1. Identify Target Process
– The injector finds or spawns a process (e.g., notepad.exe).

2. Open Handle
– The injector uses OpenProcess() to get a handle to the target process.

3. Allocate Memory
– Using VirtualAllocEx(), the injector reserves space in the target process.

4. Write Payload
– The payload (shellcode) is copied using WriteProcessMemory().

5. Execute Payload
– A new thread is created in the remote process using CreateRemoteThread() or similar.

This is the injection pattern: open a handle to a process, allocate memory, write the payload (shellcode), and spawn a remote thread to execute it.

OpenProcess(), VirtualAllocEx(), WriteProcessMemory(), and CreateRemoteThread are all low-level functions, exposed via the Windows API, that facilitate interacting with memory space within the Windows Operating system (Microsoft Learn, n.d.-a).

How Shellcode Works in Process Injection

Shellcode is malicious machine code (not human-readable) intended to spawn a command shell or perform other malicious actions. Because it is written directly in CPU-interpretable machine code, it can be injected and executed directly from memory, making it well-suited for process injection techniques.

Attackers commonly convert post-exploitation tooling into shellcode so that it can be injected directly into memory without touching disk.

Shellcode features and “benefits” (from the attacker’s perspective) include:

• Machine code: Shellcode is written in low-level machine code, not a human-readable language like C or Python.
• Compact: It is designed to be small and efficient in order to fit within the limitations of the exploit.
• Platform-specific: Shellcode is typically written for a specific architecture (e.g., x86, ARM) and operating system (e.g., Windows, Linux).

unsigned char shellcode[] = {
  0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc0, 0x00, 
  0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51
};

Shellcode like this is injected directly into memory. This example is compact, platform-specific, and not human-readable — traits that make it ideal for stealth attacks.

Please Note: This information is for educational purposes only. This shellcode does not execute a real payload.

How to Detect and Analyze Process Injection

While process injection is difficult to stop outright, defenders can reliably detect its presence in memory and system behavior using modern Endpoint Detection and Response (EDR) tools and forensic techniques.

Although techniques like process hollowing are designed to hide malicious code within trusted processes, the injection workflow itself is fairly predictable. This predictability gives EDR platforms and modern antivirus solutions an advantage, as they leverage behavioral heuristics, memory scanning, and anomaly detection to identify suspicious activity — even when no malware exists on disk.

Newer antivirus solutions often include memory monitoring and forensic capabilities that allow them to signature malicious memory regions directly, rather than relying solely on file-based

Defenders looking to detect process injection in real time or through post-incident analysis should pay close attention to the following indicators:

Memory Forensics:
– Unusual memory permissions (e.g., RWX)
– Injected code in non-module memory regions
– Signature-matched malicious memory content

Process Behavior:
– Child processes with suspicious parent-child relationships
– Unexpected threads inside common system processes (MITRE ATT&CK, n.d.)

Logging Tools:
– Sysmon (Event IDs 8, 10, 11) (SwiftOnSecurity, n.d.)
– ETW (Event Tracing for Windows)
– AMSI logs (for script-based loaders)
– EDR software

Process Injection: Real-World Use Cases

In order to run further post-exploitation activities, malicious actors and security testers will often rely on using “loaders” to load their tooling into memory via process injection techniques. This can involve loading C2 beacons into memory, or the usage of beacon object files (BOFs) to inject further known and easily detectable tooling (eg. Mimikatz) into memory (MITRE ATT&CK, n.d.).

Attackers will commonly attempt to obfuscate, encrypt, or otherwise disguise their injected shellcode to avoid memory detections, while simultaneously attempting to disguise the loader’s malicious behavior to avoid heuristic detection. It is no small feat, but it is what it takes to get code execution in the modern cyber landscape – and do not underestimate the lengths attackers will go to achieve their goals.

On the other hand, debuggers, EDR platforms, and other defensive tools may also legitimately rely on process injection techniques, as underscoring that injection itself is not inherently malicious (MITRE ATT&CK, n.d.).

Here’s a comparison of how process injection is used by different types of actors in the field:

Debuggers and defensive tooling themselves will also routinely rely on process injection techniques, as it can be a legitimate and normal process for benign software to rely on.

Enjoyed This Topic?

Learn more about EDR
Read our EDR blog: Endpoint Security: How EDR Helps Stop Cyber Threats
Read our previous knowledge article: Linux Persistence Techniques: How Attackers Maintain Long-Term Access

What’s Next?

In the next knowledge article, we’ll explore a real-world example of PowerShell-based process injection, showing how to:

– Spawn a process
– Inject shellcode
– Execute a remote thread
– And analyze detection techniques

Disclaimer: At DataYard, we believe it’s important to understand the methods an attacker might use to gain access to your system, so that we know what to look out for and be better prepared to defend against it. This article discusses common techniques attackers may use to maintain access to compromised systems. These behaviors are presented strictly for educational and defensive awareness purposes only. These are things you should watch out for!

References

Microsoft Learn. (n.d.-a). OpenProcess function (processthreadsapi.h). Microsoft. https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess

Microsoft Learn. (n.d.-b). VirtualAllocEx function (memoryapi.h). Microsoft. https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualallocex

MITRE ATT&CK. (n.d.). T1055: Process injection. https://attack.mitre.org/techniques/T1055/

SwiftOnSecurity. (n.d.). Sysmon configuration for detecting malicious activity. GitHub. https://github.com/SwiftOnSecurity/sysmon-config