MITRE ATT&CK T1055.002 Process Injection: Portable Executable Injection

Portable Executable (PE) Injection is a process injection technique that allows adversaries to execute malicious code by injecting an entire PE file directly into the memory of a legitimate process. This technique is widely used in modern cyberattacks to evade detection, bypass security controls, and execute payloads stealthily. Unlike traditional file-based execution, PE injection enables attackers to run malicious code without writing an actual executable file to disk, making it significantly harder for antivirus and endpoint detection and response (EDR) solutions to detect the attack.

In this blog post, we explain the T1055.002 PE Injection technique of the MITRE ATT&CK® framework and explore how adversaries employ PE injection with real-world attack examples in detail.

The Red Report 2025 The 10 Most Prevalent MITRE ATT&CK Techniques Used by Adversaries GET THE REPORT

What is Portable Executable (PE)?

Portable Executable (PE) is a file format for executables, object code, and DLLs in Windows operating systems. PE provides a standardized way for the operating system to manage and execute applications, including handling the various aspects of code and data involved in complex software programs. The PE format is used by files with extensions such as .exe, .dll, .sys, .ocx, and .scr, making it essential for the functionality of Windows applications.

The PE format is designed to be portable, meaning it can be executed on different versions of Windows without modification. It includes various sections that store executable code, data, imports, exports, and resources such as icons or menus. Some of its key components include the DOS Header, which maintains backward compatibility with older systems. Another key component is the PE Header. It provides metadata about the executable and sections like .text, .data, and .rsrc, which contain code, variables, and resources.

Adversary Use of Portable Executable Injection

PE injection attacks follow a path similar to DLL injection. The difference lies in the use of the WriteProcessMemory function. Instead of writing the path to the malicious DLL within the allocated memory of the target process, adversaries write their malicious code in that memory. 

Although it seems stealthy, PE injection has an inherent challenge. When adversaries inject their PE into the target process's memory, the injected code acquires an unpredictable new base address. To overcome this problem, adversaries design their malware to locate the host process's relocation table address and resolve the cloned image's absolute addresses via a loop over its relocation descriptors.

Below is the general attack lifecycle of PE Injection:

1. Process Handle Acquisition: Attackers obtain a handle to the target process using the OpenProcess Windows API with appropriate access rights, allowing them to perform operations such as memory manipulation within the target process.

2. Selecting and Preparing the PE File: The appropriate PE file to be injected is selected. Attackers determine the PE's preferred image base address, which is the address where the code expects to be loaded in memory. The size of the PE, necessary for its operation in memory, is acquired.

3. Local Memory Allocation and PE Copy: A block of memory is allocated within the attacker's local process, copying the selected PE image here. This action allows attackers to modify the PE image if needed before injection, including accommodating new base addresses or resolving addresses of imported functions.

4. Allocating Memory in Target Process: Using VirtualAllocEx, attackers allocate memory in the target process's address space, creating space for the injected PE file. This space must be sufficient to hold the entire PE file and have execute-read-write permissions. The base address of this memory block is referred to as target_address.

5. Calculating Delta and Patching PE: The delta between the local copy's address (local_address) and the target allocation (target_address) is calculated to aid any necessary relocations within the PE file to match the target address space. The PE file is then patched or adjusted based on the delta to ensure it will execute correctly when loaded at the target_address instead of its preferred base address.

6. Injecting the PE into the Target Process: The patched PE file is transferred from the attacker's local process to the allocated memory block in the target process using WriteProcessMemory. This ensures the entire image is correctly positioned in memory where it can be executed.

7. Executing Injected PE: A remote thread is created within the target process using CreateRemoteThread, with its entry point set to the InjectionEntryPoint function of the now-injected PE file. This triggers the execution of the injected PE, effectively starting the malicious code in the context of the target process.

Throughout this lifecycle, attackers must carefully handle the PE file and the target process to ensure successful injection and execution. This includes dealing with potential hurdles like Address Space Layout Randomization (ASLR), which can change base addresses, and ensuring that any dependencies (like specific DLLs or system resources) are correctly resolved.

Portable Executable (PE) injection attack is commonly leveraged in the wild. In August 2024, adversaries were reported to distribute a malware dropper called SystemBC [1]. The malicious payload was delivered as an email attachment named YandexDiskSetup.exe. When users execute the file, the malware deploys a beacon via local PE injection. The beacon then reaches out to the adversary's C2 server to download and install SystemBC onto the compromised system.

References

[1] T. McGraw, "Ongoing Social Engineering Campaign Refreshes Payloads," Rapid7, Aug. 12, 2024. Available: https://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads